b'2012 FISMA Executive Summary\nReport\n\n\n\n\n                                     March 29, 2013\n                                     Report No. 512\n\n           REDACTED PUBLIC VERSION\n\x0c                                               UNITED STATES\n                             SECURITIES AND EXCHANGE COMMISSION\n                                         WASHINGTON, D.C. 20549\n\n\n     OI\'!\'ICEOI\'\nlNStfl!\xc2\xa3C1\'0R GENERAt\n\n\n\n\n                                         MEMORANDUM\n                                              March 29,2013\n\n            To:           Jeff Heslop, Chief Operating Officer, Office of the Chief Operating\n                           Officer\n                          Thomas A. Bayer, Director/Chief Information Officer, Office of\n                            lnforrnqtion Tech ofogy\n                                 f/ /         /\n                               /"\'-\'\'\n            From:         Carf                     or Gen.eral, Office of Inspector General\n                                                           ~-~\'\xc2\xabo\n\n\n\n\n            Subject:      2012 FISMA Executive Summary Report, Report No. 512\n\n            This memorandum transmits the U.S. Securities and Exchange Commission\n            (SEC), Office of Inspector General\'s (OIG) final report detailing the results of our\n            2012 FISMA Executive Summary Report. The review was conducted as part of\n            our continuous effort to assess management of the Commission\'s programs and\n            operations and as a part of our annual audit plan.\n\n            The report contains 11 recommendations which if fully implemented should\n            strengthen the SEC\'s controls over information security. The Office of the Chief\n            Operating Officer and the Office of Information Technology concurred with all the\n            recommendations that were addressed to their respective offices. Your written\n            response to the draft report is included in Appendix VII.\n\n           Within the next 45 days, please provide the OIG with a written corrective action\n           plan that is designed to address the recommendations. The corrective action\n           plan should include information such as the responsible official/point of contact,\n           timeframes for completing required actions, and milestones identifying how you\n           will address the recommendations.\n\n\n\n\n                        REDACTED PUBLIC VERSION \n\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me. We appreciate the courtesy and cooperation that you and your staff\nextended to our office.\n\nAttachment\n\ncc:    Elisse B. Walter, Chairman\n       Erica Y. Williams, Deputy Chief of Staff, Office of the Chairman\n       Luis A. Aguilar, Commissioner\n       Troy A. Paredes, Commissioner\n       Daniel Gallagher, Commissioner\n       Pamela C. Dyson, Deputy Director/Deputy Chief Information Officer,\n         Office of Information Technology\n       Todd K. Scharf, Associate Director, Chief Information Security Officer,\n         Office of Information Technology\n\n\n\n\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                      Page ii\n\n                         REDACTED PUBLIC VERSION\n\x0c2012 FISMA Executive Summary Report\n\n\n                                   Executive Summary\nThe U.S. Securities and Exchange Commission (SEC or Commission) Office of\nInspector General (OIG) contracted the services of Networking Institute of\nTechnology, Inc. (NIT) to conduct the fiscal year 2012 Federal Information\nSecurity Management Act (FISMA) assessment and a review of the SEC\xe2\x80\x99s\nsecurity requirements.\n\nFISMA was enacted, in 2002 as Title III of the E-Government Act of 2002, to\nrecognize the importance of information security to the economic and national\nsecurity interests of the United States. 1 The law emphasizes the need for\norganizations to develop, document, and implement organization-wide programs\nproviding security for the information systems supporting the organization\xe2\x80\x99s\noperations and assets, as well as information systems provided or managed by\nother agencies, contractors, or other sources. FISMA provides the framework\nfor securing the federal government\xe2\x80\x99s information technology (IT) and requires\nagency program officials, chief information officers (CIO), privacy officers, and\ninspectors general to conduct annual reviews of the agency\xe2\x80\x99s information\nsecurity and privacy programs and report the results to Office of Management\nand Budget (OMB). For fiscal year 2012, FISM 12-02 provides instructions to\nheads of executive departments and agencies for meeting the fiscal year 2012\nreporting requirements. It also requires inspectors general to independently\nevaluate and report how their department\xe2\x80\x99s or agency\xe2\x80\x99s CIO, senior agency\nofficial for privacy, and program officials implemented information security\nrequirements.\n\nThe Office of Information Technology (OIT) supports the SEC and its staff in all\nareas of IT. The office has overall management responsibility for the Commission\'s\nIT program including application development, infrastructure operations and\nengineering, user support, IT program management, capital planning, security,\nenterprise architecture, and implementing the SEC\xe2\x80\x99s FISMA requirements. OIT\xe2\x80\x99s\nCIO is responsible for developing and maintaining a Commission-wide\ninformation security program. The office also includes a Chief Information\nSecurity Officer (CISO) who, among other things, is responsible for establishing\nand maintaining the SEC\xe2\x80\x99s security posture.\n\nObjectives. The overall objective of the 2012 FISMA assessment was to assess\nthe SEC\xe2\x80\x99s systems and provide OIG with input to the SEC\xe2\x80\x99s response to the\n\n1\n    Title III, Publication L, No. 107-347 (December 17, 2002).\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                                    Page iii\n\n                                   REDACTED PUBLIC VERSION\n\x0cOMB. The assessment included a review of the SEC\xe2\x80\x99s information security\nposture, as required annually by FISMA. The 2012 FISMA assessment included\nthe following mandated security requirements:\n\n   \xe2\x80\xa2   continuous monitoring management\n   \xe2\x80\xa2   configuration management\n   \xe2\x80\xa2   identity and access management\n   \xe2\x80\xa2   incident response and reporting\n   \xe2\x80\xa2   risk management\n   \xe2\x80\xa2   security training\n   \xe2\x80\xa2   plan of action and milestones\n   \xe2\x80\xa2   remote access management\n   \xe2\x80\xa2   contingency planning\n   \xe2\x80\xa2   contractor systems\n   \xe2\x80\xa2   security capital planning\n\nIn addition to the mandated security requirements, NIT independently evaluated\nand reported on how the Commission has implemented the following security\nrequirements:\n\n   \xe2\x80\xa2   systems inventory and the quality of the inventory\n   \xe2\x80\xa2   enterprise security architecture\n   \xe2\x80\xa2   data and boundary protection\n   \xe2\x80\xa2   network security protocols\n\nThe evaluation criteria for the requirements listed above is based on the National\nInstitute of Standards and Technology (NIST) standards and industry best\npractices. There were no findings related to these requirements.\n\nResults. Our review found that OIT did not fully conduct and document\ncontinuous monitoring in accordance with certain NIST requirements.\nContinuous monitoring is the process where organizations develop a strategy\nand implement a program for the continuous monitoring of security control\neffectiveness. It includes the potential need to change or supplement a control\nset, taking into account any proposed/actual changes to the information system\nor its operational environment. OIT conducts penetration testing and vulnerability\nscanning on a continuous basis and provided NIT with its penetration test\nreports. However, we found that penetration testing is not sufficient to meet the\ncontinuous monitoring strategy requirements per NIST Special Publication (SP)\n800-137. We also found that OIT did not test some areas between the three-\nyear certification and accreditation (C&A) assessment cycle, or on a continuous\nbasis for critical security controls. As a result, OIT\xe2\x80\x99s continuous monitoring\nprogram needs improvement.\n\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                      Page iv\n\n                         REDACTED PUBLIC VERSION\n\x0cFurther, we found that OIT configuration management program is generally in\ncompliance with governing FISMA requirements and NIST guidelines. However,\nOIT has not defined baseline configurations and it has not conducted\nconfiguration compliance scanning for                       . OIT implemented\nconfiguration baselines for all                   and it scans all\n                                   for baseline configuration compliance and\ndocuments and it approves all deviations from the baseline. Also, OIT did not\nimplement configuration baselines for                      . OIT began\nestablishing baselines and implemented compliance scanning for\n         in August of 2012 and asserts it is scheduled to be completed with the\nprocess by the end of March 2013. However, OIT has not fully implemented\nbaseline configurations and compliance scanning                          .\n\nAdditionally, OIT has not approved a formal project plan to implement personal\nidentity verification (PIV) and it has not implemented a technical solution to link\nPIV badges to multi-factor authentication. As a result, the SEC is not compliant\nwith the Federal Information Processing Standards Publication (FIPS) 201-1,\nwhich could expose the Commission to unauthorized access to its information\nsystems.\n\nOur assessment of the SEC\xe2\x80\x99s risk management strategy found that it does not\naddress the requirements needed for a comprehensive governance structure and\norganizational overall security risk management. Further, it does not address\nrisk from a mission and business process perspective, as described in the risk\nmanagement framework (RMF) identified in NIST SP 800-37, Rev. 1.2. 3 As a\nresult of not updating the risk management strategy to address NIST guidelines,\nthe SEC could be exposed to higher risk levels.\n\nOur review also found that Designated Authorizing Officials are not fully involving\nthe Information System Owners (ISO) in system security categorization as\ndirected by NIST SP 800-37, Guide for Applying the Risk Management\nFramework to Federal Information Systems, A Security Lifecycle Approach, Task\n1-1. Not involving the ISO in the categorization process runs the risk of them not\nunderstanding the overall context of the system and the subsequent security\ncontrols needed to properly safeguard agency information. Our review of the\ndocumentation for the systems in our sample universe found that the systems in\nour sample had FIPS 199 system security categorizations.\n\nBased on our review we determined that OIT did not tailor its baseline security\ncontrols for specific systems that require such controls. We further found OIT did\n\n2\n NIST SP 800-37, Rev. 1, p. 2, Section 1.2, Purpose and Applicability.\n\n3\n NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information \n\nSystems: A Security Life Cycle Approach (February 2010) p. 2, Section 1.2, Purpose and Applicability.\n\n2012 FISMA Executive Summary Report                                                      March 29, 2013\nReport No. 512\n                                                Page v\n\n                               REDACTED PUBLIC VERSION\n\n\x0cnot tailor baseline security controls for the nine information systems in our\nsample universe. Also, the system security plan for the systems in our sample\nuniverse did not include OIT\xe2\x80\x99s decision to not tailor during the security control\nselection process, nor its rationale for the decision. While OIT has not tailored\nbaseline security controls, it has identified and selected a generic set of baseline\nsecurity controls that are based on the security categorization of the system. OIT\nalso did not develop formal procedures or instructions regarding tailoring it\nbaseline security controls in accordance with NIST SP 800-53, Rev. 3 guidelines.\n\nThe security awareness training program could be improved by including role-\nbased training for IT staff in information security. Moreover, IT security\nawareness training program does not specify who is required to take role-based\ntraining and there is no enforcement mechanism to ensure IT staff have taken\nthe correct role-based training, based on duties and responsibilities. The IT\nsecurity awareness training program should include role-based training for staff\nhaving information security duties.\n\nThough OIT establishes milestone remediation dates for plan of action and\nmilestones (POA&M) it did not adhere to specific milestone remediation dates\nidentified when closing POA&Ms. As a result, POA&Ms are open for an\nextended period of time, which puts the Commission at risk if the weakness is not\nremediated in a timely manner.\n\nAlthough OIT has now updated many of its policies, the office did not update the\nexisting procedures for the 18 control families to ensure compliance with the new\npolicy. OIT has not developed procedures for risk management, continuous\nmonitoring management, and information security oversight over systems\noperated by SEC contractors and other entities. Though OIT has made progress\nin correcting policy deficiencies the lack of procedures could result in OIT\nimproperly implementing informal procedures that is not consistent with\nmanagement\xe2\x80\x99s expectations and current policy.\n\nWe further found OIT could improve its process for documenting the interfaces\nbetween the contractor/external systems and SEC-operated systems in its\nsystem inventory. The absence of interface data related to systems within the\nsystem inventory may lead to confusion when making risk-based decisions for\nexternal systems.\n\nOIT did not disable the network accounts for all users who no longer require\naccess or who no longer work at the SEC. As a result, some users still had\naccess to the SEC\xe2\x80\x99s network, which put the Commission at a higher risk for\nmalicious acts.\n\n\n\n2012 FISMA Executive Summary Report                                   March 29, 2013\nReport No. 512\n                                      Page vi\n\n                         REDACTED PUBLIC VERSION\n\x0cFinally, OIT had repeat findings and six repeat recommendations from a prior\nissued OIG report that have not been fully addressed and were found to still exist\nas deficiencies during this review.\n\nSummary of Recommendations. The report contains 11 recommendations\nthat were developed to strengthen the SEC\xe2\x80\x99s controls over information security.\nOur most significant recommendations were having OIT to revise its security\nassessment procedures, annually assess a subset of its manager system\xe2\x80\x99s\nsecurity controls, and develop and implement a continuous monitoring strategy in\naccordance with applicable NIST requirements.\n\nWe further recommended OIT continue its implementation of its risk strategy to\nensure risk is addressed at the organization, mission and business, and\ninformation system levels of the risk management framework. The Office of Risk\nManagement should work with OIT to provide training to management throughout\nthe Commission regarding their roles and responsibilities related to operating in a\nthree-tiered risk management framework.\n\nIn addition, OIT should develop procedures to obtain documented approval, by\nadding a signature block to the security categorization form, from the system\nowner and the authorizing official in step one of the risk management framework.\n\nTo improve its POA&M tracking, we recommended OIT review all POA&Ms and\nupdate its tracking system to include future remediation dates and ensure\nPOA&Ms are closed or mitigated to an acceptable level.\n\nFinally, OIT should review all user accounts and disable accounts that are no\nlonger needed and perform periodic reviews of user accounts and develop\ninternal controls to ensure periodic reviews of user accounts are performed on\naccounts that are terminated.\n\nManagement\xe2\x80\x99s Response to the Report\xe2\x80\x99s Recommendations. OIG provided\nSEC management with the formal draft report on March 18, 2013. SEC\nmanagement concurred with all recommendations in this report. OIG considers\nthe report recommendations resolved. However, the recommendations will\nremain open until documentation is provided to OIG that supports each\nrecommendation has been fully implemented. SEC management\xe2\x80\x99s response to\neach recommendation and OIG\xe2\x80\x99s analysis of their responses are presented after\neach recommendation in the body of this report.\n\nThe full version of this report includes information that the SEC considers to be\nsensitive and proprietary. To create this public version of the report, OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\n2012 FISMA Executive Summary Report                                   March 29, 2013\nReport No. 512\n                                      Page vii\n\n                         REDACTED PUBLIC VERSION\n\x0cTABLE OF CONTENTS\nExecutive Summary ......................................................................................................iii\n\n\nTable of Contents ....................................................................................................... viii\n\n\nBackground and Objectives .................................................................................. 1\n\n     Background ....................................................................................................... 1\n\n     Objectives .......................................................................................................... 2\n\n\nFindings and Recommendations ......................................................................... 3\n\n     Finding 1: OIT\xe2\x80\x99s Continuous Monitoring Program Needs Improvement ............ 3\n\n                  Recommendation 1....................................................................... 6\n\n                  Recommendation 2....................................................................... 6\n\n\n         Finding 2: OIT Has Not Fully Implemented Baseline Configurations and \n\n         Compliance Scanning for                    ................................................... 7\n\n\n         Finding 3: OIT Has Not Implemented Multi-Factor Authentication to the \n\n         SEC\xe2\x80\x99s PIV Program ............................................................................................ 9\n\n\n         Finding 4: The SEC\xe2\x80\x99s Risk Management Strategy Does Not Address a \n\n         Comprehensive Governance Structure or the SEC\xe2\x80\x99s Overall Security\n\n         Risks ................................................................................................................ 12\n\n                           Recommendation 3..................................................................... 14\n\n                           Recommendation 4..................................................................... 14\n\n\n         Finding 5: OIT Did Not Categorize the SEC\xe2\x80\x99s Information Systems In \n\n         Accordance with NIST\xe2\x80\x99s Risk Management Framework .................................. 15\n\n                      Recommendation 5..................................................................... 17\n\n                      Recommendation 6..................................................................... 17\n\n\n         Finding 6: OIT Has Not Tailored Baseline Security Controls for Specific\n\n         Systems ........................................................................................................... 17\n\n\n         Finding 7: IT Security Awareness Training Program Could be Improved by\n\n         Including Role-Based Training for Staff with IT Duties and Responsibilities .... 21\n\n                       Recommendation 7..................................................................... 23\n\n\n         Finding 8: OIT Did Not Adhere to the Milestone Remediation Dates\n\n         Identified to Close POA&Ms Having Lower Priority Risks ................................ 24\n\n                        Recommendation 8..................................................................... 26\n\n\n         Finding 9: OIT Did Not Update its Procedures ................................................. 26\n\n2012 FISMA Executive Summary Report                                                                   March 29, 2013\n\nReport No. 512\n\n                                                      Page viii\n\n\n                                   REDACTED PUBLIC VERSION\n\x0c         Finding 10: OIT Did Not Document its Interface Between Contractor and \n\n         SEC-Operated Systems ................................................................................... 29\n\n                      Recommendation 9..................................................................... 30\n\n\n         Finding 11: OIT Did Not Terminate/Deactivate Accounts for all SEC\n\n         Employees/Contractors\xe2\x80\x99 Access to Local Area Network Access Who No \n\n         Longer Work at the SEC .................................................................................. 30\n\n                      Recommendation 10................................................................... 31\n\n                      Recommendation 11................................................................... 32\n\n\nTables\n     Table 1: Open POA&Ms .................................................................................. 24\n\n     Table 2: Sample POA&Ms .............................................................................. 25\n\n     Table 3: Listing of IT Related SECRs.............................................................. 27\n\n     Table 4: Evaluation Objectives for System Inventory and the Quality of\n\n        the Inventory ............................................................................................... 43\n\n     Table 5: Evaluation Objectives for Enterprise Security Architecture ............... 45\n\n     Table 6: Evaluation Objectives for Data and Boundary Protection .................. 47\n\n     Table 7: Evaluation Objectives for Network Security Protocols ....................... 49\n\n     Table 8: POA&Ms and Remediation Dates ..................................................... 50\n\n\nAppendices\n    Appendix I: Abbreviations................................................................................. 33\n\n    Appendix II: Scope and Methodology............................................................... 35\n\n    Appendix III: Criteria and Guidance ................................................................. 38\n\n    Appendix IV: List of Recommendations ........................................................... 40\n\n    Appendix V: Review of Additional Information Security Requirements ............ 42\n\n    Appendix VI: POA&Ms and Remediation Dates ............................................... 50\n\n    Appendix VII: Management Comments............................................................ 52\n\n\nFigures\n     Figure 1: Risk Management Framework Process Overview............................. 16\n\n     Figure 2: Security Control Selection Process ................................................... 18\n\n\n\n\n\n2012 FISMA Executive Summary Report                                                           March 29, 2013\n\nReport No. 512\n\n                                                   Page ix\n\n\n                                  REDACTED PUBLIC VERSION\n\x0c                       Background and Objectives\n\n\nBackground\nThe U.S. Securities and Exchange Commission (SEC or Commission) Office of\nInspector General (OIG) contracted the services of Networking Institute of\nTechnology, Inc. (NIT) to conduct the fiscal year 2012 Federal Information\nSecurity Management Act (FISMA) assessment and a review of the SEC\xe2\x80\x99s\nsecurity requirements.\n\nFISMA provides a framework for ensuring the effectiveness of information\nsecurity controls over federal operations and assets and it serves as a\nmechanism for oversight of federal information security programs. 4 Agency\ninformation security programs must provide for among other things, periodic risk\nassessments, policies and procedures based on the risk assessments, periodic\ntesting and evaluation of the effectiveness of policies and procedures, security\nplanning, security awareness training, and continuity of operations. FISMA also\nrequires federal agencies have an annual independent evaluation of their\ninformation security program and practices performed. The evaluation is\nconducted by the agency\xe2\x80\x99s inspector general or by an independent external\nauditor. 5\n\nFISMA also provides the framework for securing the Federal government\xe2\x80\x99s\ninformation technology (IT). FISMA emphasizes the need for organizations to\ndevelop, document, and implement an organization-wide program to provide\ninformation security for the systems supporting its operations and assets. All\nagencies must implement FISMA requirements and report annually to the Office\nof Management and Budget (OMB).\n\nThe Department of Homeland Security Memorandum FISM 12-02 provided\ninstructions to heads of executive departments and agencies for meeting the\nfiscal year 2012 reporting requirements. It also required inspectors general to\nindependently evaluate and report how their department or agency\xe2\x80\x99s chief\ninformation officer (CIO), senior agency official for privacy, and program officials\nimplemented information security requirements.\n\nThe Office of Information Technology (OIT) supports the SEC and its staff in all\nareas of IT. The office has overall management responsibility for the Commission\'s\n\n4\n    Title III, Pub. L, No. 107-347 (December 17, 2002).\n5\n    Ibid, \xc2\xa7 3545(a), (b).\n2012 FISMA Executive Summary Report                                    March 29, 2013\nReport No. 512\n                                                    Page 1\n\n                                   REDACTED PUBLIC VERSION\n\x0cIT program including application development, infrastructure operations and\nengineering, user support, IT program management, capital planning, security,\nenterprise architecture, as well as the SEC\xe2\x80\x99s FISMA requirements. OIT\xe2\x80\x99s CIO is\nresponsible for developing and maintaining a Commission-wide information\nsecurity program. The office also includes a Chief Information Security Officer\n(CISO) who, among other things, is responsible for establishing and maintaining\nthe SEC\xe2\x80\x99s security posture.\n\nObjectives\nThe overall objective of the FISMA assessment was to assess the SEC\xe2\x80\x99s\nsystems and provide the OIG with input to the SEC\xe2\x80\x99s response to the OMB. The\nassessment included a review of the SEC\xe2\x80\x99s information security posture, as\nrequired annually by FISMA. The FISMA assessment addressed the following\nmandated security requirements:\n\n   \xe2\x80\xa2   continuous monitoring management\n   \xe2\x80\xa2   configuration management\n   \xe2\x80\xa2   identity and access management\n   \xe2\x80\xa2   incident response and reporting\n   \xe2\x80\xa2   risk management\n   \xe2\x80\xa2   security training\n   \xe2\x80\xa2   plan of action and milestones\n   \xe2\x80\xa2   remote access management\n   \xe2\x80\xa2   contingency planning\n   \xe2\x80\xa2   contractor systems\n   \xe2\x80\xa2   security capital planning\n\nIn addition to the mandated security requirements, NIT independently evaluated\nand reported on how the Commission has implemented the following security\nrequirements:\n\n   \xe2\x80\xa2   systems inventory and the quality of the inventory\n   \xe2\x80\xa2   enterprise security architecture\n   \xe2\x80\xa2   data and boundary protection\n   \xe2\x80\xa2   network security protocols\n\nThe evaluation criteria for the objectives described above was based on National\nInstitute of Standards and Technology (NIST) standards and industry best\npractices.\n\n\n\n\n2012 FISMA Executive Summary Report                                March 29, 2013\nReport No. 512\n                                      Page 2\n\n                         REDACTED PUBLIC VERSION\n\x0c                 Findings and Recommendations\n\n\nFinding 1: OIT\xe2\x80\x99s Continuous Monitoring Program\nNeeds Improvement\n           OIT did not fully conduct and document continuous\n           monitoring for security controls in accordance with NIST\n           guidelines and does not have a formal continuous monitoring\n           program or strategy. As a result, the SEC could implement\n           an insufficient security program and is not operating within\n           acceptable risk tolerance levels.\n\nOIT has not fully conducted and documented continuous monitoring for security\ncontrols. While OIT assessed all security controls on a three-year Certification\nand Accreditation (C&A) assessment cycle and a subset of controls were\ninherently tested in between the three-year C&A cycle, some critical security\ncontrols (i.e., access control, physical access control devices) have not been\nreviewed in some cases, up to three years. In addition, OIT\xe2\x80\x99s continuous\nmonitoring strategy is not fully documented.\n\nOIT\xe2\x80\x99s Continuous Monitoring\nContinuous monitoring is the process where organizations develop a strategy\nand implement a program for the continuous monitoring of security control\neffectiveness. It includes the potential need to change or supplement a control\nset, taking into account any proposed/actual changes to the information system\nor its operational environment. 6 OIT\xe2\x80\x99s SEC\xe2\x80\x99s Operating Procedure (OP) 24-04\xc2\xad\n10-03, IT Security Assessment Procedure, issued April 28, 2006, mandates\ntesting all common, system-specific and hybrid security controls at least every\nthree years during the authorization period. This procedure does not address\nreviewing a subset of controls on a more frequent basis.\n\nNIST Special Publication (SP) 800-37, Revision (Rev.) 1 requires organization\nidentify critical security controls for ongoing monitoring and select a subset of\nsecurity controls for monitoring during the off years of a full C&A assessment\ncycle. 7 The C&A process consists of a comprehensive assessment of the\nmanagement, operational, and technical security controls in an information\nsystem. It is made in support of security accreditation to determine the extent to\nwhich the controls are implemented correctly, operating as intended, and are\n6\n    NIST SP 800-37, Rev. 1, p. G-1, Appendix G, Continuous Monitoring.\n7\n    Ibid.\n2012 FISMA Executive Summary Report                                       March 29, 2013\nReport No. 512\n                                                 Page 3\n\n                                 REDACTED PUBLIC VERSION\n\x0cproducing the desired outcome with respect to meeting the security requirements\nfor the system. Based on the results of the assessment, a senior agency official\nauthorizes an information system to operate and explicitly accepts the risk to\nagency operations. 8\n\nFurther, according to NIST SP 800-137 and NIST SP 800-37, Rev. 1,\norganizations should review a subset of their security controls to include\nmanagement, operational, and technical security control families, and security\ncontrols that should be evaluated on a rotating basis. Further, critical security\ncontrols should be evaluated more frequent monitoring.\n\nWe judgmentally selected 9 of 59 information systems to test the security\ncontrols. We also conducted a limited-review of the SEC\xe2\x80\x99s information security\nposture. Our sample universe consisted of the following systems:\n\n\n\n\nConsistent with the requirements in OP 24-04-10-03, our testing found that all the\nsecurity controls for the systems in our sample universe were assessed once in\nOIT\xe2\x80\x99s three-year C&A assessment cycle. Moreover, we found that access\ncontrol, identification and authentication, audit mechanisms, security\nconfiguration settings, physical access control devices, information system\nbackup operations, incident response capability, and contingency planning were\nnot tested in between the three-year C&A assessment cycle, or on a continuous\nbasis for critical security controls. We found that this practice does not meet the\nrequirements of a continuous monitoring strategy or plan according to NIST SP\n800-137, NIST SP 800-37, Rev. 1, and NIST SP 800-53A, Rev. 1.\n\nAlthough OIT conducts penetration testing and vulnerability scanning on a\ncontinuous basis to monitor the effectiveness critical security controls,\npenetration testing and vulnerability scanning do not review all critical security\ncontrols such as physical access control. While penetration testing and\nvulnerability scanning identifies system specific controls, it is not sufficient to\nmeet the continuous monitoring strategy requirements per NIST SP 800-137.\nAccording to NIST SP 800-137, \xe2\x80\x9cOrganization-wide monitoring cannot be\n8\n NIST SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems (February\n2006), pp. 31-32, Appendix B, Glossary.\n2012 FISMA Executive Summary Report                                                    March 29, 2013\nReport No. 512\n                                               Page 4\n\n                               REDACTED PUBLIC VERSION\n\x0cefficiently achieved through manual processes alone or through automated\nprocesses alone.\xe2\x80\x9d 9\n\nContinuous Monitoring Strategy\n\nIn August 2012, OIT issued Policy Directive CIO-PD-08 (CIO-PD-08). The CIO\xc2\xad\nPD-08 references continuous monitoring as follows:\n\n        OIT establishes a continuous monitoring strategy and implements a\n        continuous monitoring program that includes:\n\n        \xe2\x80\xa2\t A configuration management process for the information system\n           and its constituent components;\n        \xe2\x80\xa2\t A determination of the security impact of changes to the \n\n           information system and environment of operation;\n\n        \xe2\x80\xa2\t Ongoing security control assessments in accordance with the\n           organizational continuous monitoring strategy; and\n        \xe2\x80\xa2\t Reporting the security state of the information system to\n\n           appropriate SEC officials based on an assessment of risk\n\n           pertaining to the current threat environment. 10\n\n\nThis policy references OIT\xe2\x80\x99s continuous monitoring strategy. However, OIT has\nnot developed a formal continuous monitoring strategy or documented its\ncontinuous monitoring program per NIST SP 800-137 and NIST SP 800-37, Rev.\n1. NIT was informed that OIT has a continuous monitoring strategy that is in the\nearly stages of development, but it has not been formalized.\n\nNIST SP 800-137 provides guidance for the development of a continuous\nmonitoring program. We found that OIT\xe2\x80\x99s continuous monitoring strategy has not\nbeen developed or implemented and OIT has not taken steps to address the\nguidance identified in NIST SP 800-37, Rev. 1, which was released in February\n2010 and defines the criteria for a continuous monitoring strategy.\n\nFor benchmarking purposes, we contacted the National Credit Union\nAdministration (NCUA), Federal Deposit Insurance Corporation (FDIC), and the\nU.S. Commodity Futures Trading Commission (CFTC) regarding their FISMA\nrelated practices and procedure to comply with governing guidance such as\nNIST.\n\n\n\n9\n  NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and\n\nOrganizations (September 2011), p. vii.\n\n10\n   Policy Directive, Office of Information Technology, CIO Policy Directive, SEC OIT Security Policy\n\nFramework, Policy Number CIO-PD-08 (August 7, 2012), p. 57.\n\n2012 FISMA Executive Summary Report                                                       March 29, 2013\nReport No. 512\n                                                 Page 5\n\n                                REDACTED PUBLIC VERSION\n\x0cWhen asked about their compliance with NIST SP 800-137, and learned that\neach year NCUA, FDIC, and CFTC assesses a subset of controls or critical\ncontrols as part of their continuous monitoring process. NCUA and FDIC\ninformed us they have established continuous monitoring programs. While, the\nCFTC indicated it is in the process of developing a continuous monitoring\nprogram.\n\nConclusion\nAs a result of not fully implementing continuous monitoring and assessing a\nsubset of its critical security controls at least annually, OIT may not be operating\nwithin acceptable risk tolerance levels because they evaluate security controls\nevery three years, rather than on a continuous or rotating basis. This could\nimpact OIT\xe2\x80\x99s security program and result in the office being unable to fully\nproduce evidence that is needed to determine the full security status of its\ninformation systems. Also, without a documented continuous monitoring\nstrategy, OIT may not have adequate visibility into organizational assets,\nsufficient awareness of treats and vulnerabilities, or effectively deploy security\ncontrols.\n\n   Recommendation 1:\n\n   The Office of Information Technology should revise its information technology\n   security assessment procedures to ensure they are consistent with its current\n   practices and include verbiage to implement continuous monitoring and\n   requirements for on-going assessment of a subset of critical security controls.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VII for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n   Recommendation 2:\n\n   The Office of Information Technology should develop and implement a\n   continuous monitoring strategy in accordance with NIST Special Publication\n   800-137, Information Security Continuous Monitoring for Federal Information\n   Systems and Organizations and NIST Publication 800-37, Revision 1, Guide\n   for Applying Risk Management Framework to Federal Information Systems: A\n   Security Life Cycle Approach.\n\n\n2012 FISMA Executive Summary Report                                    March 29, 2013\nReport No. 512\n                                      Page 6\n\n                         REDACTED PUBLIC VERSION\n\x0c     Management Comments. OIT concurred with this recommendation. See\n     Appendix VII for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation. OIG considers this recommendation resolved. However,\n     this recommendation will remain open until documentation is provided to OIG\n     that supports it has been fully implemented.\n\n\nFinding 2: OIT Has Not Fully Implemented\nBaseline Configurations and Compliance\nScanning for\n        OIT did not define baseline configurations and has not\n        conducted configuration compliance scanning for\n                .   Improperly configured devices could lead to\n        potential weaknesses in OIT\xe2\x80\x99s systems.\n\nNIT found that OIT\xe2\x80\x99s configuration management program is generally in\ncompliance with governing FISMA requirements and NIST guidelines. However,\nOIT has not defined baseline configurations and it has not conducted\nconfiguration compliance scanning for                     .\n\nWe confirmed OIT has implemented configuration baselines for all\n       . OIT scans all                                                for baseline\nconfiguration compliance and documents and it approves all deviations from the\nbaseline. 11 Further, we found all                           have baseline\nconfigurations defined, using Center for Internet Security (CIS) standards.\nHowever, there are no allowable exceptions defined and approved for\n\n\nAlthough OIT has implemented the configuration baselines for\n       , they have not fully implemented configuration baselines and\nconfiguration compliance scanning for\n                             . OIT also did not implement configuration baselines\nfor                    because for the past year the office has focused on\nimplementing baselines standards and compliance scanning for\n       . OIT began establishing baselines and implemented compliance\nscanning for                      in August of 2012 and is scheduled to be\ncompleted with the process by the end of March 2013.\n\n\n11\n                                               .\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                      Page 7\n\n                         REDACTED PUBLIC VERSION\n\x0cOIT asserted that due to the lack of resources, it has not documented\nconfiguration baselines and conducted compliance scans for                     .\nOur review also found that although OIT works toward a 100 percent goal, it does\nnot maintain a documented list of exceptions to the baseline configuration of\n                          . However, we confirmed that OIT documents and\napproves deviations from the baseline for                     .\n\nAs a result of not having updated configuration baselines for\nand approved deviations for                            , OIT could inconsistently\napply configurations to these devices, which could lead to potential weaknesses\nin its environment and present increased security related risks to the SEC\xe2\x80\x99s\nsystems. Additionally, by not conducting compliance scans of                     ,\nconfiguration settings may be altered without the administrator\xe2\x80\x99s knowledge of\nthe network, devices may not meet minimum configuration requirements. Thus,\nit may be impossible to determine if the device configurations are aligned with\napproved baseline configurations. Further, OIT\xe2\x80\x99s current\n                may not comply with current FISMA and NIST best practices.\n\nNIST Requirements. NIST SP 800-53, Rev. 3 guidelines specifies that\norganizations should develop, document, and maintain under configuration\ncontrol\xe2\x80\xa6a current baseline configuration of the information system. 12 Our review\nfound that OIT has not defined baseline configurations and while they conduct\ncompliance scanning for                     , OIT has not conducted configuration\ncompliance scanning for                      . Although not required, OIT uses a\ntool to monitor configurations of the SEC\xe2\x80\x99s                    for unauthorized\nchanges.\n\nWith respect to configuration management NIST SP 800-53, Rev. 3 recommends\nthat organizations:\n\n        a) Establish and document mandatory configuration settings\n\n           for information technology products employed within the \n\n           information system using [Assignment: organization-\n\n           defined security configuration checklists] that reflect the \n\n           most restrictive mode consistent with operational\n\n           requirements;\n\n        b) Implement configuration settings;\n        c) Identify, document, and approve exceptions from the \n\n           mandatory configuration settings for individual\n\n           components within the information system based on \n\n           explicit operational requirements; and\n\n        d) Monitor and control changes to configuration settings in\n\n12\n NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\nOrganizations (August 2009), p. F-38.\n2012 FISMA Executive Summary Report                                                March 29, 2013\nReport No. 512\n                                             Page 8\n\n                              REDACTED PUBLIC VERSION\n\x0c               accordance with the organization\xe2\x80\x99s policies and \n\n               procedures. 13\n\n\nRepeat Recommendation from Prior OIG Report\nWe determined that the remedy for this finding would result in a repeat\nrecommendation that was previously made in OIG\xe2\x80\x99s 2011 FISMA Executive\nSummary Report, Report No. 501, issued in February 2012. Specifically, the\nreport\xe2\x80\x99s Finding 4 \xe2\x80\x9cOIT Has Not Conducted Configuration Compliance Scans and\nNeeds a Defined Process to Address Compliance Scan Results in a Timely\nManner,\xe2\x80\x9d found that OIT\xe2\x80\x99s baseline configurations were outdated and\ninconsistent with NIST guidance and OIT did not conduct configuration\ncompliance scans. 14 OIT concurred with the following recommendation in the\nreport:\n\n           Recommendation 9: The Office of Information Technology\n\n           should review and document its current standard baseline \n\n           configuration, including identification of approved deviations\n\n           and exceptions to the standard.\n\n\nTo date this recommendation is still open and OIT has not fully implemented it.\nWe determined that because OIT is making progress in addressing this\nrecommendation, a new recommendation will not be made in this report\npertaining to conducting configuration compliance scans for\nHowever, we encourage OIT to fully mitigate the deficiencies identified in the\nprior issued OIG report and in this finding and fully implement the\nrecommendation in a timely manner.\n\n\nFinding 3: OIT Has Not Implemented Multi-Factor\nAuthentication to the SEC\xe2\x80\x99s PIV Program\n           OIT has not approved a formal project plan to implement\n           personal identity verification (PIV) and it has not\n           implemented a technical solution to link PIV badges to multi-\n           factor authentication. As a result, the SEC is not compliant\n           with the Federal Information Processing Standards\n           Publication 201-1, Personal Identity Verification (PIV) of\n\n\n\n\n13\n     NIST SP 800-53, Rev. 3, p. F-42.\n14\n     OIG, 2011 FISMA Executive Summary, Report No. 501 (Feb. 2, 2012).\n2012 FISMA Executive Summary Report                                          March 29, 2013\nReport No. 512\n                                                Page 9\n\n                                REDACTED PUBLIC VERSION\n\x0c         Federal Employees and Contractors. 15 This noncompliance\n         could expose the Commission to unauthorized access to its\n         information systems.\n\nOur review found that OIT has not approved a formal project plan to implement\nPIV and it has not implemented a technical solution to link PIV badges to multi-\nfactor authentication. Multi-factor authentication for system access is the\nprocess for establishing confidence of authenticity by using two or more factors\nto achieve authentication. The Commission is required to have a minimum two\nof three factors for multi-factor authentication. The multi-factor authentication\nthree factors are a:\n\n     (1) Password or a personal identification number (PIN).\n     (2) PIV card. 16\n     (3) Physical security token, or a biometric 17 feature such as a \n\n         fingerprint or retina scan.\n\n\nHomeland Security Presidential Directive-12 (HSPD-12) established control\nobjectives for the secure and reliable identification of Federal employees and\ncontractors. The HSPD-12 requirements, issued by President Bush in August\n27, 2004, state,\n\n         Not later than 4 months following promulgation of the Standard, the\n         heads of executive departments and agencies shall have a\n         program in place to ensure that identification issued by their\n         departments and agencies to Federal employees and contractors\n         meets the Standard. As promptly as possible, but in no case later\n         than 8 months after the date of promulgation of the Standard, the\n         heads of executive departments and agencies shall, to the\n         maximum extent practicable, require the use of identification by\n         Federal employees and contractors that meets the Standard in\n         gaining physical access to Federally controlled facilities and logical\n         access to Federally controlled information systems. Departments\n         and agencies shall implement this directive in a manner consistent\n\n15\n   Federal Information Processing Standards Publication 201-1, Personal Identity Verification (PIV) of\nFederal Employees and Contractors (FIPS 201-1), was issued by NIST on February 25, 2005, and revised\nin March 2006.\n16\n   A PIV card is defined as \xe2\x80\x9c[a] physical artifact (e.g., identity card, \xe2\x80\x98smart card\xe2\x80\x99) issued to an individual that\ncontains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint\nrepresentation) so that the claimed identity of the cardholder can be verified against the stored credentials\nby another person (human readable and verifiable) or an automated process (computer readable and\nverifiable).\xe2\x80\x9d Federal Information Processing Standards Publication (FIPS Pub.) 201-1, Personal Identity\nVerification (PIV) of Federal Employees and Contractors, p. 73, Appendix F.\n17\n   Biometric is defined as \xe2\x80\x9c[a] measurable, physical characteristic or personal behavioral trait used to\nrecognize the identity, or verify the claimed identity, of an Applicant. Facial images, fingerprints, and iris scan\nsamples are all examples of biometrics.\xe2\x80\x9d FIPS Pub. 201-1, p. 70.\n2012 FISMA Executive Summary Report                                                             March 29, 2013\nReport No. 512\n                                                   Page 10\n\n                                  REDACTED PUBLIC VERSION\n\x0c        with ongoing government-wide activities, policies and guidance\n        issued by OMB, which shall ensure compliance. 18\n\nIn addition, FIPS 201-1 guidance for implementing multi-factor authentication\nstating,\n\n        PIV Cards must be personalized with identity information for the\n        individual to whom the card is issued, in order to perform identity\n        verification both by humans and automated systems. Humans can\n        use the physical card for visual comparisons, whereas automated\n        systems can use the electronically stored data on the card to\n        conduct automated identity verification.\n\nRepeat Finding and Recommendation from Prior OIG Report\n\nThis finding is consistent with Finding 5, \xe2\x80\x9cMulti-Factor Authentication for System\nAccess Has Not Been Linked to the SEC\xe2\x80\x99s Personal Identity Verification\nProgram\xe2\x80\x9d found in OIG\xe2\x80\x99s 2011 FISMA Executive Summary Report, Report No.\n501, issued February 2, 2012. The finding concluded that OIT had not\nimplemented a technical solution for linking the PIV cards to multi-factor\nauthentication. OIT concurred with the recommendation in Report No. 501 as\nfollows:\n\n        Recommendation 13: The Office of Information Technology\n        should complete its implementation of the technical solution for\n        linking multi-factor authentication to PIV cards for system\n        authentication and require use of the PIV cards as a second factor\n        authentication factor by December 2012.\n\nTo date this recommendation is still open and OIT has not fully implemented it.\nOIT staff informed us they are working to address the recommendation. Based\non our assessment, these deficiencies have not been timely mitigated and OIT\nstill has not developed an effective technical solution to fully implement PIV cards\nat the SEC, as a second authentication factor for accessing the Commission\xe2\x80\x99s\ninformation systems. OIT\xe2\x80\x99s proposed technical solution to implement PIV for\nlogical access was delayed because it did not meet the PIV program\xe2\x80\x99s\nrequirements in FIPS 201-1.\n\nIn addition, OIT has not approved a formal project plan with timelines, resource\nallocation, and management has not approved the implementation of PIVs for\nlogical access to SEC\xe2\x80\x99s systems. OIT informed us they have an informal outline\n\n18\n  HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors,\nparagraph 4.\n2012 FISMA Executive Summary Report                                                   March 29, 2013\nReport No. 512\n                                              Page 11\n\n                              REDACTED PUBLIC VERSION\n\x0cof tasks that will be conducted. OIT delayed the project plan that was\nestablished to implement PIV for logical access because the proposed technical\nsolution did not meet the PIV program requirements in FIPS 201-1.\n\nAs a result, the SEC is not complying with the requirements that federal\nemployees and contractors use PIV cards to gain physical access to federally\ncontrolled facilities and logical access to federally controlled information systems.\nNot fully implementing a multi-factor authentication could expose the\nCommission to unauthorized access to its information systems.\n\nConclusion\nThis is a repeat finding that would result in a repeat recommendation from OIG\xe2\x80\x99s\n2011 FISMA Executive Summary Report, Report No. 501, February 2, 2012.\nTherefore, a new recommendation will not be made pertaining to the technical\nsolution for linking PIV cards to a multi-factor authentication. However, we\nstrongly encourage OIT to take steps to mitigate the deficiencies identified in OIG\nReport No. 501, Finding 5, recommendation 13 and this finding. OIT should fully\nimplement this recommendation in a timely manner.\n\n\nFinding 4: The SEC\xe2\x80\x99s Risk Management Strategy\nDoes Not Address a Comprehensive Governance\nStructure or the SEC\xe2\x80\x99s Overall Security Risks\n           The SEC\xe2\x80\x99s risk management strategy does not address the\n           requirements needed for a comprehensive governance\n           structure and organizational overall security risk\n           management. Further, it does not address risk from a\n           mission and business process perspective, as described in\n           the risk management framework (RMF) identified in NIST SP\n           800-37, Rev. 1. 19 As a result of not updating the risk\n           management strategy to address NIST guidelines, OIT is\n           more likely to be exposed to higher level risks.\n\nOIG\xe2\x80\x99s FISMA 2012 review found OIT\xe2\x80\x99s current risk management strategy still\nexists, but only within the context of one tier/level within the NIST RMF. The\nother two tiers, mission and business process level and organization level have\nnot been fully implemented.\n\nNIST SP 800-37, Rev. 1 was released in February 2010 and it changed the\n\n19\n     NIST SP 800-37, Rev. 1, p. 2, Section 1.2, Purpose and Applicability.\n2012 FISMA Executive Summary Report                                          March 29, 2013\nReport No. 512\n                                                   Page 12\n\n                                   REDACTED PUBLIC VERSION\n\x0ctraditional C&A process into a six-step RMF. RMF\xe2\x80\x99s focus is a three-tiered\napproach to risk management that addresses risk-related concerns in\norganization level, the mission and business processes level, and at the\ninformation system levels. 20\n\nOIG\xe2\x80\x99s 2011 FISMA Executive Summary Report, Report No. 501, issued in\nFebruary 2012 concluded SEC risk management policy did not adhere to the\nrequirements for a comprehensive governance structure and organization-wide\nrisk management strategy. Hence, OIT\xe2\x80\x99s risk management policy did not\naddress risk from a mission and business process perspective as described in\nNIST\xe2\x80\x99s SP 800-37, Rev. 1, released February 2010. 21\n\nCurrently, OIT only addresses risk at the information system level. The Office of\nRisk Management, located in the Office of the Chief Operating Officer (OCOO),\nis responsible for implementing RMF at the mission and business process level\nand the organization level. OCOO has a newly hired risk executive who has\noversight of this function. As a whole, the Commission has not fully developed a\ncomprehensive governance structure and risk management strategy, which is\nnecessary for facilitating organization-wide security risks at all RMF levels:\norganization level, the mission and business process level, and the information\nsystem level.\n\nAlthough, OCOO\xe2\x80\x99s Office of Risk Management has not fully implemented a risk\nmanagement strategy that is fully aligned with NIST SP 800-37, Rev. 1, it is\nmaking progress. Further, while a comprehensive risk management strategy has\nnot been fully implemented, currently OIT is working on a project to develop and\nimplement a comprehensive risk management strategy at the information system\nlevel that is scheduled to be completed by January 2014.\n\nAdditionally, we found the SEC has not updated work procedures to address the\nnew requirement to develop a comprehensive risk management strategy.\nHowever, in compliance with NIST guidance OIT conducted risk assessments at\nthe information system level prior to the release of NIST SP 800-37, Rev. 1.\n\nConclusion\nAs a result of not updating its risk assessment strategy to address the RMF\xe2\x80\x99s\nidentified in NIST SP 800-37, Rev. 1, the Commission has not developed a\ncomprehensive strategy to manage risk at the organization, the mission and\nbusiness, and information system levels. Thus, the Commission could risk not\nbeing able to effectively identify risk and properly allocate resources to address\n\n20\n     Ibid, p. 5, Figure 2-1.\n21\n     Ibid.\n2012 FISMA Executive Summary Report                                   March 29, 2013\nReport No. 512\n                                       Page 13\n\n                               REDACTED PUBLIC VERSION\n\x0cweakness and vulnerabilities that could affect the SEC\xe2\x80\x99s information systems,\nbusiness processes, or organization effectiveness.\n\n   Recommendation 3:\n\n   The Office of Information Technology should continue to implement the\n   existing project for the development and implementation of a comprehensive\n   risk management strategy in accordance with NIST Special Publication 800\xc2\xad\n   37, Revision 1, Guide for Applying Risk Management Framework to Federal\n   Information Systems: A Security Life Cycle Approach, addressing risk at the\n   organization level, the mission and business process level and the\n   information system level.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VII for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n   Recommendation 4:\n\n   The Office of the Chief Operating Officer should ensure the Office of Risk\n   Management coordinates with the Office of Information Technology to provide\n   training to management throughout the Commission and educate staff on\n   their roles and responsibilities related to operating in a three-tiered risk\n   management framework.\n\n   Management Comments. OCOO concurred with this recommendation. See\n   Appendix VII for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OCOO concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n\n\n\n2012 FISMA Executive Summary Report                                March 29, 2013\nReport No. 512\n                                      Page 14\n\n                         REDACTED PUBLIC VERSION\n\x0cFinding 5: OIT Did Not Categorize the SEC\xe2\x80\x99s\nInformation Systems in Accordance with NIST\xe2\x80\x99s\nRisk Management Framework\n        Designated Authorizing Officials are not fully involving the \n\n        Information System Owners (ISO) in system security\n\n        categorization as directed by NIST SP 800-37, Guide for\n\n        Applying the Risk Management Framework to Federal\n\n        Information Systems, A Security Lifecycle Approach, Task 1\xc2\xad\n        1. Not involving the ISO in the categorization process runs\n\n        the risk of them not understanding the overall context of the\n\n        system and the subsequent security controls needed to\n\n        properly safeguard agency information.\n\n\nOur review of the security test and evaluation (ST&E) documentation for the\nsystems in our sample universe found all nine systems had FIPS 199 system\nsecurity categorizations either in the ST&E documentation or the risk assessment\nreport. The ST&E is the security document containing the assessment criteria\nand the assessment results for the required security controls for each system.\nFor the systems reviewed in our sample universe, one did not have a ST&E.\nAlthough OIT does not conduct ST&Es for contractor systems, they examine the\nST&Es the contractor completes. 22\n\nThe results of the system security categorization influences the selection the\nappropriate security controls for information systems, which were included in the\nST&E and where applicable, the minimum assurance requirements for the\nsystem. 23 However, we found the FIPS 199 system security categorizations for the\nnine systems in our sample were not approved by the system owners in step one\nof RMF, as required by NIST SP 800-37, Rev. 1. 24 Instead, the approvals were\ndone as part of the system security plan (SSP) review in step five of the RMF. 25\nWe found OIT\xe2\x80\x99s policy and procedures does not address the requirement for\nsystem owners to conduct system security categorization in step one of RMF.\nFigure 1 shown below, illustrates OIT\xe2\x80\x99s system security categorization approval\ntakes place in step one versus step five of the RMF. 26\n\n\n\n22\n   NIST SP 800-53A, Rev. 1, Guide for Assessing the Security Controls in Federal Information Systems and \n\nOrganizations (June 2010), p. ix, Preface.\n\n23\n   NIST SP 800-37, Rev. 1, p. 21, section 3.1 Task 1-1.\n\n24\n   Ibid.\n\n25\n   SSP - A formal document that provides an overview of the security requirements for an information \n\nsystem and describes the security controls in place or planned for meeting those requirements. NIST SP \n\n800-18, Rev. 1, p. 39.\n\n26\n   NIST SP 800-37, Rev. 1, p. 8, Section 2.1. Figure 2-2.\n\n2012 FISMA Executive Summary Report                                                     March 29, 2013\nReport No. 512\n                                               Page 15\n\n                               REDACTED PUBLIC VERSION\n\x0cFigure 1: Risk Management Framework Process Overview\n\n\n\n\nSource: NIST SP 800-37, Rev. 1\n\nNIST Requirements. NIST SP 800-37, Rev. 1, Step 1, System Development\nLife Cycle (SDLC), states the system security categorization is to be completed\nin either the system development life cycle phase: initiation phase or step one of\nthe RMF. 27 Further, NIST SP 800-53A, Rev. 1, Guide for Assessing the Security\nControls in Federal Information Systems and Organizations, states all steps in\nthe RMF should be completed and approved before conducting a security\nassessment. 28\n\nBenchmark Results with Other Federal Agencies. Based on our\nbenchmarking with the NCUA, FDIC, and CFTC, we learned that each agency\nsigns and approves formal system security categorizations before selecting and\nassessing their respective security controls.\n\nConclusion\nAs a result of not obtaining an approved signature in step one of RMF, there is\nno assurance system security categorization was done prior to the security\nassessments being conducted. We were unable to confirm if the system\ncategorization was completed and whether NIST and management needs were\nmet. Without formal approval prior to conducting security assessments, the SEC\nruns the risk of assessing the system using the incorrect security controls based\non an incorrect system security categorization.\n27\n     NIST SP 800-37, Rev. 1, p. 21, Section 3.1. Task 1-1.\n28\n     NIST SP 800-53A, Rev. 1, p. 13, Section 3.1.\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                                  Page 16\n\n                                  REDACTED PUBLIC VERSION\n\x0c   Recommendation 5:\n\n   The Office of Information Technology should develop procedures to ensure\n   Federal Information Processing Standard 199 system security categorization\n   and to properly document the involvement of the information system owner\n   (ISO) and the authorizing official, respectively, in step on of the risk\n   management framework.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VII for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n   Recommendation 6:\n\n   The Office of Information Technology should revise its Federal Information\n   Processing Standard 199 system security categorization form to include\n   signature blocks for the system owner and authorizing official.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VII for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n\nFinding 6: OIT Has Not Tailored Baseline Security\nControls for Specific Systems\n       OIT has not tailored baseline security controls for specific\n       systems. Not having a tailored control list could result in the\n       OIT understating or overstating the security requirements for\n       its system and critical controls for certain systems may not\n       be identified.\n\nBased on our review we found that OIT has not tailored its baseline security\ncontrols for specific systems that require such controls. We further found OIT did\nnot tailor baseline security controls for the nine systems in our sample universe.\n\n2012 FISMA Executive Summary Report                                      March 29, 2013\nReport No. 512\n                                      Page 17\n\n                         REDACTED PUBLIC VERSION\n\x0cIn addition, the SSPs for the systems in our sample universe did not include\nOIT\xe2\x80\x99s decision to not tailor during the security control selection process, nor its\nrationale for the decision. While OIT has not tailored baseline security controls, it\nhas identified and selected a generic set of baseline security controls based on\nthe security categorization of the system. Finally, we found OIT has not\ndeveloped formal procedures or instructions for tailoring the baseline security\ncontrols in accordance with NIST SP 800-53, Rev. 3 guidelines.\n\nFigure 2, below summarizes the security control selection process that include\ntailoring initial security control baselines and additional modifications that may be\nneeded to the baseline, based on an organizational assessment of risk. 29\n\n     Figure 2: Security Control Selection Process\n\n\n\n\n     Source: NIST SP 800-53, Rev. 3\n\nBaseline Security Controls Guidance. NIST SP 800-37, Rev. 1 provides\nguidelines to organizations to tailor the baseline security controls by applying\nscoping, parameterization, and compensating control guidance. Further, NIST\nSP 800-37 guides organizations to supplement the tailored baseline security\ncontrols, if necessary, with additional controls and/or control enhancements to\naddress unique organizational needs based on a risk assessment (either formal\nor informal) and local conditions including environment of operation,\norganization-specific security requirements, specific threat information, cost-\nbenefit analyses, or special circumstances. Also, NIST SP 800-37 guides\norganizations to specify minimum assurance requirements, as appropriate.\nFurther, the publication guides organizations document in the security plan, the\ndecisions (e.g., tailoring, supplementation, etc.) taken during the security control\nselection process, providing a sound rationale for those decisions. 30\n\n\n\n29\n     Ibid, p. 25, Figure 3.2.\n30\n     NIST SP 800-37, Rev. 1, p. 25, Section 3.2, Task 2-2, Supplemental Guidance.\n2012 FISMA Executive Summary Report                                                 March 29, 2013\nReport No. 512\n                                                 Page 18\n\n                                  REDACTED PUBLIC VERSION\n\x0cNIST SP 800-37, Rev. 1, defines tailoring as the process by which a security\ncontrol baseline is modified based on the application of scoping guidance; the\nspecification of compensating security controls, if needed; and the specification\nof organization-defined parameters in the security controls via explicit\nassignment and selection statements. 31\n\nOMB Memorandum M-12-20, FY 2012 Reporting Instructions for the Federal\nInformation Security Management, question 13 indicates agencies expectations\nare to use the baseline as a starting point and tailor the controls based on NIST\nSP 800-53, Rev. 3, eliminating or adding controls as necessary.\nPer this guidance, OIT is required to tailor baseline security controls, document\ntailored controls in the SSP or other security documentation, and provide sound\nrationale for tailoring the security selection.\n\nFeedback we received from NCUA, FDIC, and CFTC representatives found\nthese agencies tailor their baseline security controls, and develop tailored control\nlists based on NIST SP 800-53, Rev. 3 guidelines, prior to conducting\nassessments. Also, our interview with a NIST RMF subject matter expert found\nthat tailoring baseline security controls is a required activity in carrying out step\ntwo of RMF, security control selection and specification.\n\nRepeat Recommendations from Prior OIG Report\nThis finding is consistent with Finding 3 \xe2\x80\x9cOIT Has Not Formally Defined a\nTailored Set of Baseline Security Controls and Has Not Tailored Control Sets for\nSpecific Systems,\xe2\x80\x9d found in OIG\xe2\x80\x99s 2011 FISMA Executive Summary Report,\nReport No. 501, issued February 2, 2012. The finding concluded that OIT had\nnot developed formal procedures and instructions for tailoring its baseline\nsecurity controls in accordance with the NIST SP 800-53, Rev. 3 guidelines. 32 In\naddition, the report found that OIT had not developed a tailored set of baseline\nsecurity controls for each applicable system requiring such controls, or as\ndefined in the SSP or other security documents. The report consisted of the\nthree recommendations that follow, which OIT fully concurred to implement.\n\n            Recommendation 5: The Office of Information Technology should\n            develop and implement formal policy addressing tailoring baseline\n            security control sets.\n\n            Recommendation 6: The Office of Information Technology should\n            determine whether it should perform the tailoring process at the\n            organization level for all information systems (either as the required\n            tailored baseline or as the starting point for system-specific\n31\n     Ibid, p. B-10, Appendix B, Glossary.\n32\n     NIST 800-53, Rev 3.\n2012 FISMA Executive Summary Report                                         March 29, 2013\nReport No. 512\n                                            Page 19\n\n                                   REDACTED PUBLIC VERSION\n\x0c       tailoring), at the individual information system level, or using a\n       combination of organization-level and system-specific approaches.\n\n       Recommendation 7: The Office of Information Technology should\n       tailor a baseline security controls set (with rationale) for applicable\n       systems in accordance with the guidance provided by National\n       Institute of Standards and Technology, Guide for Applying the Risk\n       Management Framework to Federal Information Systems: A\n       Security Life Cycle Approach and National Institute of Standards\n       and Technology, Recommended Security Controls for Federal\n       Information Systems and Organizations.\n\nThese recommendations are still open and OIT has not implemented them.\nBased on our review, the issues identified in OIG Report No. 501 and discussed\nin this finding still exist. To fully resolve this finding, OIT must address these\nrecommendations.\n\nNIT\xe2\x80\x99s Review of OIT\xe2\x80\x99s Applying NIST Guidelines. Though NIST SP 800-37,\nRev. 1 and NIST SP 800-53, Rev. 3 recommends tailoring security baseline\ncontrol sets, OIT elected to use a generic a baseline security control set because\nthey determined it properly addressed NIST\xe2\x80\x99s guidance. We were informed OIT\ndid not tailor baseline security controls because determined tailoring is not\nrequired, and using only the generic baseline security control set (based on the\nsystem\xe2\x80\x99s security categorization) to further tailoring is not required.\n\nOur review of C&A packages, SSPs, and other security documents for the nine\nsystems in our sample universe found no indication baseline security control set\nwas tailored in accordance with the guidance provided in NIST SP 800-37, Rev.\n1 and NIST SP 800-53, Rev. 3. Further, we did not find a consensus amongst\nOIT management to ascertain whether OIT should perform the tailoring process\n(1) at the organization level for all information systems, (2) at the information\nsystem level, (3) or using a combination of both. We determined OIT\xe2\x80\x99s\ninterpretation of NIST guidance does not ensure its baseline security control sets\nare properly tailored.\n\nConclusion\nOIT uses a generic control set based on security categorization, which could\nresult in under/overstating the security requirements for its systems. As a result,\ncritical controls may not be identified for certain systems.\n\nWe identified three repeat recommendations in this finding, so no new\nrecommendations will be made pertaining to tailoring baseline security controls.\nOIT should take immediate steps to mitigate the deficiencies identified in OIG\n2012 FISMA Executive Summary Report                                     March 29, 2013\nReport No. 512\n                                      Page 20\n\n                         REDACTED PUBLIC VERSION\n\x0cReport No. 501, for recommendations 5, 6, 7 and this finding and fully implement\nthese recommendations in a timely manner.\n\n\nFinding 7: IT Security Awareness Training\nProgram Could be Improved by Including Role-\nBased Training for Staff with IT Duties and\nResponsibilities\n            IT security awareness training program does not specify who\n            is required to take role-based training and there is no\n            enforcement mechanism to ensure Commission staff have\n            taken the correct role-based training, based on duties and\n            responsibilities. The IT security awareness training program\n            should include role-based training for staff having IT\n            responsibilities.\n\nThe SEC\xe2\x80\x99s United States (U.S.) SEC Learning Management Server application is\nused to administer security awareness training, identifies several IT positions, but\nit does not include all IT positions that have access to SEC sensitive data or\nmaterials. It also does not have a mechanism users with IT responsibilities can\nuse to complete role-based training. The application allows employees and\ncontractors to choose the roles that are best suited for their duties and\nresponsibilities. In addition, the application does not prevent users from\ncircumventing appropriate role-based training. Hence, the user does not have to\nselect a role from the list that is provided.\n\nOIT provides annual privacy and cyber security awareness training to all SEC\nemployees and contractors, which requires them to access the SEC\xe2\x80\x99s information\nsystems. This training includes role-based training for IT specialist, IT program\nmanager, database administrator, network administrator, programmer, and\nsystem administrators. In 2012, the SEC reached 100 percent participation and\ncompliance in completing the Annual Privacy and Cyber Security Awareness\nTraining. 33 We found the IT security awareness training program does not\nspecify who is required to take role-based training and there is no enforcement\nmechanism to ensure its staff have taken the correct role-based training, based\non duties and responsibilities.\n\nOIT\xe2\x80\x99s Implementing Instruction (II) 24-04-03-01, IT Security Awareness Training\nstates, \xe2\x80\x9c[role-based] training is required of employees holding certain IT\npositions, specifically those having access to, or knowledge of SEC sensitive\n33\n     The Insider, intranet site for the SEC (August 2012).\n2012 FISMA Executive Summary Report                                        March 29, 2013\nReport No. 512\n                                                    Page 21\n\n                                    REDACTED PUBLIC VERSION\n\x0cdata or materials.\xe2\x80\x9d 34 Although, OIT has policy requiring role-based training for\nemployees in certain IT positions, such as information security, the policy does\nnot specifically identify the positions.\n\nOIT\xe2\x80\x99s security awareness training does not include role-based training for\npersons with duties and responsibilities related to information security, in\naccordance with NIST SP 800-16. 35 An example of the roles that are linked to\nSEC employees responsibilities include:\n\n     \xe2\x80\xa2   authorizing official\n     \xe2\x80\xa2   information owner\n     \xe2\x80\xa2   chief information officer\n     \xe2\x80\xa2   chief information security officer\n     \xe2\x80\xa2   information systems security officer\n     \xe2\x80\xa2   risk executive\n     \xe2\x80\xa2   privacy act official\n\nRole-based training in the security awareness training course is limited to select\ntechnical IT roles (i.e. system administrator) and it does not include other\npositions where the staff in the position would have access to sensitive data or\nmaterials.\n\nNIST SP 800-53, Rev. 3 provides guidance for role-based security training and\ndetermines its content based on roles and responsibilities. Specifically,\nAwareness and training 3 (AT-3) Security Training states,\n\n         The organization provides role-based security related training: (i)\n         before authorizing access to the system or performing assigned\n         duties; (ii) when required by system changes; and (iii) [Assignment:\n         organization-defined frequency] thereafter.\n\n         Supplemental Guidance: The organization determines the\n         appropriate content of security training based on assigned roles\n         and responsibilities and the specific requirements of the\n         organization and the information systems to which personnel have\n         authorized access\xe2\x80\xa636\n\nII 24-04-03-01, IT Security Awareness Training does not define the frequency of\nrole-based refresher training or the process for tracking role-based training. 37\nThe instruction states, \xe2\x80\x9c[t]he OIT Security Group tracks progress in and\n\n34\n   II 24-04-03-01, IT Security Awareness Training, (Dec. 29, 2005), p. 4, Section 5b(1).\n\n35\n   NIST SP 800-16, Information Technology Security Training Requirements (April 1998), p. 47, Exhibit 4.3.\n\n36\n   NIST SP 800-53, Rev. 3, p. F-22, Security Awareness and Training.\n\n37\n   II, IT Security Awareness Training, Policy Number 24-04-03-01 (Dec. 29, 2005), p. 4, Section 5b(1).\n\n2012 FISMA Executive Summary Report                                                       March 29, 2013\nReport No. 512\n                                                Page 22\n\n                                REDACTED PUBLIC VERSION\n\x0ccompletion of required training courses.\xe2\x80\x9d After conducting interviews and\nreviewing documentation, we found OIT does not track progress and completion\nof role-based training in accordance with its policy. 38\n\nConclusion\nWe determined OIT has not clearly determined what IT staff need role-based\ntraining or information security related training for risk management. Additionally,\nOIT management has not defined the course or level of training that is needed\nfor certain specific roles that are found in the U.S. SEC Learning Management\nServer. By not providing proper direction to IT staff with information security\nroles to complete role-based training, the employees may not get training that is\nbest suited for their specific duties and responsibilities. This could result in them\nnot receiving training needed to aid in understanding their role in implementing\ninformation security at the SEC. Thus, this could potentially lead to IT staff not\nfully complying with applicable NIST guidelines.\n\n       Recommendation 7:\n\n       The Office of Information Technology should review and update the existing\n       information technology security awareness training program to:\n\n             \xe2\x80\xa2\t Include specific role-based training based on the duties and\n                responsibilities for staff with information security roles.\n             \xe2\x80\xa2\t Track the progress and completion of IT staff\xe2\x80\x99s role-based training.\n\n       Management Comments. OIT concurred with this recommendation. See\n       Appendix VII for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation. OIG considers this recommendation resolved. However,\n       this recommendation will remain open until documentation is provided to OIG\n       that supports it has been fully implemented.\n\n\n\n\n38\n     Ibid.\n2012 FISMA Executive Summary Report                                        March 29, 2013\nReport No. 512\n                                           Page 23\n\n                              REDACTED PUBLIC VERSION\n\x0cFinding 8: OIT Did Not Adhere to the Milestone\nRemediation Dates Identified to Close POA&Ms\nHaving Lower Priority Risks\n           Though OIT establishes milestone remediation dates for\n           plan of action and milestones (POA&M), it did not adhere to\n           specific milestone remediation dates identified when closing\n           POA&Ms having lower priority risks. As a result, POA&Ms\n           are open for an extended period of time, which puts the\n           Commission at risk if the weakness is not remediated in a\n           timely manner.\n\nOur review found that OIT does not adhere to specific milestone remediation\ndates for closing POA&Ms having lower priority risk. We evaluated two sets of\nPOA&M documents as follows: (1) A GSS POA&M report, dated August 6, 2012,\nthat identified GSS open and closed POA&Ms from June 2011 to June 2012; 39\nand (2) A listing of application POA&Ms that was created in\n                                    40\n                                       and covered eight major applications from\nJune 2011 to June 2012.\n\nOur review of POA&Ms documents found a significant number that were not\nremediated and exceeded the projected remediation date. OIT asserts these\nwere all lower priority risk POA&Ms. Specifically, 99 of the 177 POA&Ms we\nreviewed were open. Of the 99 that were open, only one had not exceeded the\nprojected remediation date. The remaining 98 POA&Ms had exceeded the\nremediation date by as much as five years. Table 1, shown below illustrates the\ninability to close POA&M\xe2\x80\x99s and remediate them by the proposed date.\n\n             Table 1: Open POA&Ms\n                                                Number of           Number of POA&Ms\n               Information      Open          POA&Ms Past             Not Exceeding\n                 Systems       POA&Ms           Projected               Projected\n                                             Remediation Date        Remediation Date\n               Major               64              63                       1\n               Applications\n               General             34                 34                       0\n               Support\n               System\n               Total               99                 98                       1\n\n             Source: NIT Generated\n\n\n39\n     Team Track is an automated application used by OIT to track the GSS POA&Ms.\n40\n\n\n\n2012 FISMA Executive Summary Report                                                March 29, 2013\nReport No. 512\n                                               Page 24\n\n                                 REDACTED PUBLIC VERSION\n\x0cOf the 99 total open POA&Ms for the SEC\xe2\x80\x99s information systems, 63 of 64 for\nmajor applications exceeded the projected remediation dates. We further found\none POA&M was 5 years past the remediation date, one was 4 years past the\nremediation date, one was 3 years past the remediation date, 39 were 2 years\npast the remediation date, and 21 were one year past the remediation date. Our\nreview of the 34 open POA&Ms for GSS found they all exceeded the projected\nremediation date. Our review of the POA&Ms that was not remediated is\ndetailed in Appendix VI.\n\nBased on the nine systems in our sample we found four had POA&Ms that\nexceeded the proposed remediation dates. Table 2 below, identifies the four\nsystems having proposed remediation dates that exceeded more than a year.\n\nTable 2: Sample POA&Ms\n                                                               Projected      Status\n                        POA&M                   Remediation\n  System Acronym                POA&M Title                   Remediation      as of\n                          ID                     Start Date\n                                                                 Date        10/9/2012\n\n                                                 09/1/2010    02/28/2011       Open\n\n\n\n                                                04/14/2010    09/30/2010       Open\n\n\n                                                12/22/2008    08/31/2009       Open\n\n\n\n                                                12/15/2011    Last Updated     Open\n                                                              01/03/2012+\nSource: NIT Generated\n\nWhile we found that OIT has not achieved the proposed remediation dates, OIT\nmeets weekly and more frequently if needed to review POA&Ms and update the\nstatus or progress on outstanding POA&Ms. OIT indicated POA&Ms are not\nalways remediated by the proposed dates for several reasons, including but not\nlimited to lack of resources and changing priorities. OIT informed us that it uses\na risk approach when determining which POA&Ms may be delayed or do not\nachieve their proposed remediation dates.\n\nEven though OIT addressed some POA&Ms by their proposed remediation dates\nbased on risk, by not addressing POA&M in a timely manner could lead to\nincreased risk to the Commission information systems if the POA&M is not\nremediated in a timely manner. For example, we found a POA&M open for two\nyears, which could potentially create a risk to the SEC for the\n\n2012 FISMA Executive Summary Report                                     March 29, 2013\nReport No. 512\n                                      Page 25\n\n                           REDACTED PUBLIC VERSION\n\x0cNIST SP 800-53, Rev. 3, security assessment and authorization CA-5, plan of\naction and milestones, states an organization should develop \xe2\x80\x9ca plan of action\nand milestones for the information system to document the organization\xe2\x80\x99s\nplanned remedial actions to correct weaknesses or deficiencies noted during the\nassessment of the security controls and to reduce or eliminate known\nvulnerabilities in the system; and\xe2\x80\xa6\xe2\x80\x9d 42\n\n     Recommendation 8:\n\n     The Office of Information Technology should review all plan of action and\n     milestones (POA&M) and update its POA&M\xe2\x80\x99s tracking system to include\n     future remediation dates and ensure POA&Ms are closed or mitigated to an\n     acceptable level.\n\n     Management Comments. OIT concurred with this recommendation. See\n     Appendix VII for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation. OIG considers this recommendation resolved. However,\n     this recommendation will remain open until documentation is provided to OIG\n     that supports it has been fully implemented.\n\n\nFinding 9: OIT Did Not Update its Procedures\n         OIT issued a new policy handbook, but did not update its\n         procedures to ensure compliance with the new policy\n         handbook. As a result, OIT staff could inconsistently apply\n         informal and undocumented policies within the IT\n         environment.\n\nOIG\xe2\x80\x99s 2011 FISMA Executive Summary Report, Report No. 501, issued February\n2012, found OIT\xe2\x80\x99s documented FISMA policies and procedures were outdated.\nIn August 2012, OIT issued Policy Directive CIO-PD-08 (CIO-PD-08). 43 CIO-PD\xc2\xad\n\n41\n   List of Application POA&Ms document created in                                                       for\nthe eight major applications, within the June 2011 to June 2012 time frame.\n42\n   NIST SP 800-53, Rev. 3, p. F-35, Security Assessment and Authorization, CA-5.\n\n43\n   Policy Directive, Office of Information Technology, CIO Policy Directive, SEC OIT Security Policy\n\nFramework, Policy Number CIO-PD-08 (August 7, 2012).\n\n2012 FISMA Executive Summary Report                                                         March 29, 2013\nReport No. 512\n                                                 Page 26\n\n                                 REDACTED PUBLIC VERSION\n\x0c08 supplements existing SEC policies. In issuing CIO-PD-08, OIT is in the\nprocess of rescinding previously issued policies that cover many of the areas\ncovered in the handbook. Below, Table 3 shows the list of Securities and\nExchange Commission Regulation (SECR) OIT provided us, that we found OIT is\nin the process of rescinding.\n\n               Table 3: Listing of IT Related SECRs\n                 SECR                          Title\n                   24.04         Information Technology Security Program\n                  24-04.01       Security Policy, Program Management, and\n                                 Organizational Security\n                  24-04.02       IT Security Asset Management and FISMA Inventory\n                                 Management Program\n                  24-04.03       IT Security Human Resources Program\n\n                  24-04.04       IT Security Operations and Communications Security\n                                 Management Program\n                  24-04.05       IT Security Physical and Environment Protection\n                                 Plan\n                  24-04.06       IT Security Access Management Plan\n\n                  24-04.07       Information Security Incident Management\n\n                  24-04.08       IT Security Activities for Information System\n                                 Acquisition, Development, and Maintenance\n                  24-04.09       IT Security Business Continuity Management\n                                 Program\n                  24-04.10       IT Security Certification and Accreditation\n\n               Source: NIT Generated.\n\nAlthough OIT has now updated many of its policies, the office did not update the\nexisting procedures for the 18 control families to ensure compliance with the new\npolicy. In addition, OIT has not developed procedures for risk management,\ncontinuous monitoring management and information security oversight over\nsystems operated by SEC contractors and other entities, although this was\nidentified in OIG\xe2\x80\x99s 2011 FISMA Executive Summary report as non-existent. 44\nThough OIT has made progress in correcting policy deficiencies the lack of\nprocedures could result in OIT improperly implementing informal procedures that\nis not consistent with management\xe2\x80\x99s expectations and current policy.\n\nAccording to NIST SP 800-53, Rev. 3, an organization should develop,\ndisseminate, and review/update, as frequently as the organization policy\nspecifies, the following:\n\n44\n   The Commission is required to update procedures to reflect the agency defined frequency of three years\nas noted in the OIT\xe2\x80\x99s IT Security Compliance Program Policy, the individual policy\xe2\x80\x99s or procedure\xe2\x80\x99s defined\nfrequency as noted in the specific policy or procedure, and current NIST guidelines.\n2012 FISMA Executive Summary Report                                                        March 29, 2013\nReport No. 512\n                                                Page 27\n\n                                REDACTED PUBLIC VERSION\n\x0c         a) A formal, documented policy that addresses purpose, scope,\n            roles, responsibilities, management commitment, coordination\n            among organizational entities, and compliance;\n\n         b) Formal, documented procedures to facilitate the implementation\n            of the policy and associated controls. 45\n\nRepeat Finding and Recommendation from Prior OIG Report\nThis finding is consistent with Finding 1, \xe2\x80\x9cOIT\xe2\x80\x99s FISMA Policies and Procedures\nAre Outdated or Nonexistent\xe2\x80\x9d found in OIG\xe2\x80\x99s 2011 FISMA Executive Summary\nReport, Report No. 501, issued February 2, 2012. The finding concluded that\nOIT\xe2\x80\x99s FISMA policies and procedures were outdated and the office lacked\ndocumented procedures for risk management, continuous monitoring\nmanagement, and information security oversight over systems. OIT concurred\nwith the recommendation in Report No. 501 as follows:\n\n         Recommendation 1: The Office of Information Technology (OIT)\n         should develop and implement a detailed plan to review and update\n         OIT security policies and procedures and to create OIT security\n         policies and procedures for areas that lack formal policy and\n         procedures.\n\nThis recommendation is still open and OIT has not fully implemented it. Based on\nour review, the issues identified in OIG Report No. 501 and discussed in this\nfinding still exist. To fully resolve this finding, OIT must address this\nrecommendation.\n\nConclusion\nWe determined OIT should ensure it conducts procedure reviews and updates in\naccordance with organization-defined timeframes. OIT has procedures that need\nupdating. As such, OIT staff may not properly apply OIT\xe2\x80\x99s policies within IT\xe2\x80\x99s\nenvironment and may not receive proper guidance on implementing OIT policy,\ncurrent NIST guidance and OIT management\xe2\x80\x99s expectations for implementing\ncontrols throughout the Commission.\n\n\n\n45\n   NIST SP 800-53, Rev. 3, p. F-92, Risk Assessment (RA-1), p. F-38, Configuration Management (CM-1),\np. F-61, Incident Response (IR-1), p. F-21, Awareness and Training (AT-1), p. F-32, Security Assessment\nand Authorization (CA-1), p. F-2, Access Control (AC-1), p. F-47, Contingency Planning (CP-1), p. F-54,\nIdentification and Authentication (IA-1). Each of the control families defines policy and procedures in level\none of the control.\n2012 FISMA Executive Summary Report                                                          March 29, 2013\nReport No. 512\n                                                 Page 28\n\n                                 REDACTED PUBLIC VERSION\n\x0cThis finding contains a repeat finding, so a new recommendation will be made\npertaining to outdated policies and procedures. OIT should take immediate steps\nto mitigate the deficiencies identified in OIG Report No. 501, for recommendation\n1 and this finding and fully implement the recommendation in a timely manner.\n\n\nFinding 10: OIT Did Not Document its Interface\nBetween Contractor and SEC-Operated Systems\n        OIT did not document the interfaces between the\n        contractor/external systems and SEC-operated systems in\n        its system inventory. The absence of interface data related\n        to systems within the system inventory may lead to\n        confusion when making risk-based decisions for external\n        systems.\n\nWe reviewed four inventory compliance workbook updates for the reporting\nsystem inventories as of January 27, 2012; March 16, 2012; May 11, 2012; and\nJune 29, 2012. 46 Our review determined that interfaces between the contractor,\nexternal systems and organization-operated systems were not identified in the\nsystem inventory. We determined there should be a separate column identifying\ncontractor interfaces within the inventory compliance workbook, but none exists.\nWe concluded that OIT does not identify interfaces between contractor, external\nsystems and organization-operated systems within the inventory compliance\nworkbook. OIT\xe2\x80\x99s C&A coordinator acknowledged he was unaware of FISMA\xe2\x80\x99s\nrequirement to identify system interfaces in the system inventory, inventory\ncompliance workbook.\n\nFISMA, Section 3505 Requirements. FISMA, Section 3505, requires the head\nof the agency to develop an inventory of major information systems including\n\xe2\x80\x9c\xe2\x80\xa6an identification of the interfaces between each such system and all other\nsystems or networks, including those not operated by or under the control of the\nagency.\xe2\x80\x9d 47 48 In addition, NIST SP 800-53, Rev. 3 states \xe2\x80\x9c[t]he organization\ndevelops and maintains an inventory of its information systems\xe2\x80\x9d. 49\n\n\n\n\n46\n   An inventory compliance workbook contains an inventory of the information systems within an agency.\n\n47\n   OMB, Memorandum A-130 Revised (OMB A-130), section 6(u), Definitions, \xe2\x80\x9cThe term "major information\n\nsystem" means an information system that requires special management attention because of its importance \n\nto an agency mission; its high development, operating, or maintenance costs; or its significant role in the \n\nadministration of agency programs, finances, property, or other resources.\xe2\x80\x9d\n\n48\n   Title III, Pub. L, No. 107-347, section 3505(c)(2).\n\n49\n   NIST 800-53, Rev. 3, p. G-3, Program Management (PM)-5.\n\n2012 FISMA Executive Summary Report                                                       March 29, 2013\nReport No. 512\n                                                Page 29\n\n                                REDACTED PUBLIC VERSION\n\x0cConclusion\nWithout a proper and accurate inventory compliance workbook containing\nall major information systems, including interfaces between SEC and all\nsources (internal and external), OIT cannot effectively protect the\nCommission\xe2\x80\x99s network in the event an external system is compromised.\nIn addition, the absence of interface data related to systems within the\ninventory compliance workbook can lead to confusion when making risk\nbased decisions for external systems.\n\n   Recommendation 9:\n\n   The Office of Information Technology should identify and update the systems\n   inventory list to include interface data for external systems.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VII for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n\nFinding 11: OIT Did Not Terminate/Deactivate\nAccounts for all SEC Employees/Contractors\xe2\x80\x99\nAccess to Local Area Network Access Who No\nLonger Worked at the SEC\n       OIT did not disable the network accounts for all users (SEC\n       employees/contractors) who no longer require access or\n       who no longer work at the SEC. As a result, some users still\n       had access to the SEC\xe2\x80\x99s network, which put the Commission\n       at a higher risk for malicious acts.\n\nWe determined OIT did not terminate or disable user accounts for users (SEC\nemployees/contractors) who no longer required access or who no longer worked\nat the SEC. This occurred due to oversight or timing issues. By not disabling\nthese accounts, unauthorized employees/contractors can have access to the\nSEC\xe2\x80\x99s network and putting the SEC at a higher risk for malicious acts. Our\nreview of user accounts from August 1, 2012 to October 31, 2012, for 74 SEC\nemployees and 132 SEC contractors who no longer work at the SEC found OIT\n2012 FISMA Executive Summary Report                                   March 29, 2013\nReport No. 512\n                                      Page 30\n\n                         REDACTED PUBLIC VERSION\n\x0cdid not terminate or deactivate one SEC employee user account and nine\ncontractor user accounts. Our review of user accounts consisted of only network\naccess.\n\nSEC policy requires OIT disable user accounts immediately. 50 The directive\nstates, \xe2\x80\x9cWhen personnel are terminated from the SEC, access to SEC\ninformation and information systems will be disabled immediately following\nestablished procedures for various contingencies. SEC, upon termination of\nindividual employment: Terminates information system access and\xe2\x80\xa6\xe2\x80\x9d 51\nFurther, NIST SP 800-53, Rev. 3, requires agencies disable user accounts after\nthey separate from the agency, within the agency\xe2\x80\x99s defined frequency.\nConsistent with NIST 800-53, Rev. 3, the SEC OIT Security Policy Framework\ndirective states, \xe2\x80\x9c...SEC manages information system accounts, including:\nNotifying account managers when temporary accounts are no longer required\nand when information system users are terminated, transferred, or information\nsystem usage or need-to-know/need-to-share changes; Deactivating: (i)\ntemporary accounts that are no longer required; and (ii) accounts of terminated\nor transferred users; \xe2\x80\xa6Reviewing accounts at least annually. 52 NIST SP 800-53,\nRev. 3 also requires agencies disable user accounts after they separation within\nthe organization-defined time period of inactivity. 53\n\n     Recommendation 10:\n\n     The Office of Information Technology should conduct a full review of all user\n     accounts to determine if any were used after an employee or contractor either\n     no longer required access to SEC\xe2\x80\x99s systems or was no longer employed by\n     the SEC, and ensure the accounts are disabled.\n\n     Management Comments. OIT concurred with this recommendation. See\n     Appendix VII for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation. OIG considers this recommendation resolved. However,\n     this recommendation will remain open until documentation is provided to OIG\n     that supports it has been fully implemented.\n\n\n\n\n50\n   Policy Directive, Office of Information Technology, CIO Policy Directive, SEC OIT Security Policy\n\nFramework, Policy Number CIO-PD-08 (August 7, 2012), pp. 12-13.\n\n51\n   Ibid.\n\n52\n   Policy Directive, Office of Information Technology, CIO Policy Directive, SEC OIT Security Policy\n\nFramework, Policy Number CIO-PD-08 (August 7, 2012), pp. 28-29.\n\n53\n   NIST SP 800-53, Rev. 3, p. F-56, IA-4, Letter e.\n\n2012 FISMA Executive Summary Report                                                         March 29, 2013\nReport No. 512\n                                                 Page 31\n\n                                 REDACTED PUBLIC VERSION\n\x0c   Recommendation 11:\n\n   The Office of Information Technology should strengthen its internal controls to\n   ensure user accounts are properly terminated or disabled for employees or\n   contractors who either no longer require user access or are not employed\n   with the SEC.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix VII for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation. OIG considers this recommendation resolved. However,\n   this recommendation will remain open until documentation is provided to OIG\n   that supports it has been fully implemented.\n\n\n\n\n2012 FISMA Executive Summary Report                                 March 29, 2013\nReport No. 512\n                                      Page 32\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                         Appendix I\n\n\n                              Abbreviations\n\n\n\n\n           C&A                Certification and Accreditation\n           CFTC               U.S. Commodity Futures Trading\n                              Commission\n           CIO                Chief Information Officer\n           CIS                Center for Internet Security\n           CISO               Chief Information Security Officer\n\n\n           DAA                designated approving authority\n           DHS                Department of Homeland Security\n           DNSSEC             Domain Name Security Extension\n\n\n           FDIC               Federal Deposit Insurance Corporation\n           FIPS               Federal Information Processing\n                              Standard\n           FISMA              Federal Information Security\n                              Management Act\n           GSS                General Support System\n           HSPD-12            Homeland Security Presidential\n                              Directive-12\n\n\n           II                 Implementing Instruction\n           IPv6               Internet Protocol Version 6\n           IPSec              Internet Protocol Security\n\n           ISO                Information System Owners System\n                              owners and designated authorizing\n                              System owners and designated\n                              authorizing officials are not approving\n           IT                 Information Technology\n\n\n           NCUA               National Credit Union Administration\n\n2012 FISMA Executive Summary Report                                     March 29, 2013\nReport No. 512\n                                      Page 33\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                         Appendix I\n\n\n           NIST               National Institute of Standards and\n                              Technology\n           NIT                Networking Institute of Technology, Inc.\n           OIG                Office of Inspector General\n           OIT                Office of Information Technology\n           OMB                Office of Management and Budget\n           OP                 Operating Procedure\n           PIN                Personal Identification Number\n           PIV                Personal Identity Verification\n           PM                 Program Management\n           POA&M              Plan of Action and Milestones\n           Rev.               Revision\n           RMF                Risk Management Framework\n           SEC or             Securities and Exchange Commission\n           Commission\n           SECR               Securities and Exchange Commission\n                              Regulation\n           SDLC               System Development Life Cycle\n           SP                 Special Publication\n           SSP                System Security Plan\n           ST&E               Security Test and Evaluation\n           TIC                Trusted Internet Connections\n           TLS                Transport Layer Security\n           U.S.               United States\n           WAP                Wireless Access Points\n\n\n\n\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                      Page 34\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix II\n\n\n                     Scope and Methodology\n\nThe full version of this report includes information that the SEC considers to be\nsensitive and proprietary. To create this public version of the report, OIG\nredacted (blacked out) potentially sensitive, proprietary information from the\nreport.\n\nScope. NIT conducted this review from June 2012 to December 2012. The\nscope of the review consisted of the following areas specified in OMB\xe2\x80\x99s fiscal\nyear 2012 FISMA reporting instructions:\n\n   \xe2\x80\xa2   continuous monitoring management\n   \xe2\x80\xa2   configuration management\n   \xe2\x80\xa2   identity and access management\n   \xe2\x80\xa2   incident response and reporting\n   \xe2\x80\xa2   risk management\n   \xe2\x80\xa2   security training\n   \xe2\x80\xa2   plan of action and milestones\n   \xe2\x80\xa2   remote access management\n   \xe2\x80\xa2   contingency planning\n   \xe2\x80\xa2   contractor systems\n   \xe2\x80\xa2   security capital planning\n\nIn addition to the security mandated requirements, NIT independently evaluated\nand reported on how the Commission has implemented the following security\nrequirements:\n\n   \xe2\x80\xa2   systems inventory and the quality of the inventory\n   \xe2\x80\xa2   enterprise security architecture\n   \xe2\x80\xa2   data and boundary protection\n   \xe2\x80\xa2   network security protocols\n\nThe evaluation criteria for the requirements listed above was based on NIST\nstandards and industry best practices. Appendix V shows the specific evaluation\ncriteria used for evaluating the security requirements.\n\nMethodology. The overall objective of the 2012 FISMA assessment was to\nassess the SEC\xe2\x80\x99s systems and provide the OIG with input to the Commission\xe2\x80\x99s\nresponse to Department of Homeland Security (DHS) Memorandum FISM 12-02\nand FY 2012 Inspector General Federal Information Security Management Act\n\n\n2012 FISMA Executive Summary Report                                   March 29, 2013\nReport No. 512\n                                      Page 35\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                                         Appendix II\n\nReporting Metrics. 54 To meet this objective, we reviewed and evaluated the\nSEC\xe2\x80\x99s implementation of information security requirements and provided the OIG\nthe results of its assessment and its recommended responses for submission to\nOMB through Cyberscope (OMB\xe2\x80\x99s online FISMA reporting system) and for\ncompiling this report. Based on interviews conducted, documentation we\nreviewed, and support documentation provided by Commission staff, NIT\ndeveloped its responses to the FISMA questionnaire. Using NIT\xe2\x80\x99s assessment\nand recommendations, the OIG submitted its responses to the 2012 FISMA\nquestionnaire through Cyberscope to OMB.\n\nWe conducted a review of the SEC\xe2\x80\x99s information security program based on\nguidance issued by OMB, DHS, and NIST and completed the data collection\ninstruments required for 2012 FISMA reporting, performed the necessary\nevaluation procedures to answer questions published by OMB and DHS in its\nreporting guidance, and compiled this executive summary report for the SEC\nOIG.\n\nTo complete OIG\xe2\x80\x99s portion of the annual FISMA questionnaire, we interviewed\nkey OIT personnel such as the information system owners, OIT staff, and\nstakeholders. We further examined governing policies, procedures, and other\nrelated documentation to address the evaluation objectives.\n\nAlso, we contacted representatives from NCUA, FDIC, and CFTC regarding their\nFISMA related practices and procedure to comply with governing guidance such\nas NIST. We benchmarked the SEC\xe2\x80\x99s reviewed controls against those at the\nNCUA, FDIC, and the CFTC. Our review of policies and procedures also\nincluded discussions with SEC officials to discuss and confirm our findings.\n\nAdditionally, we reviewed OIT\xe2\x80\x99s C&A packages, including POA&Ms, SSPs, risk\nassessments, ST&Es, C&A memoranda, and applicable policies and procedures,\nto determine OIT\xe2\x80\x99s compliance with OMB, FISMA, and NIST guidelines. Finally,\nwe reviewed documentation related to the scope of the fiscal year 2012 annual\nFISMA assessment. Overall, our analysis was based on information from\ninterviews, support documentation, artifacts, governing guidance and our\nexpertise.\n\nManagement Controls. Consistent with the objectives of this review we did not\nassess OIT\xe2\x80\x99s management control structure or its internal controls. We reviewed\nexisting controls at the Commission considered specific to the 2012 FISMA OIG\nquestionnaire. To thoroughly understand OIT\xe2\x80\x99s management controls pertaining\nto its policies and procedures and methods of operation we relied on information\n\n\n54\n  U.S. Department of Homeland Security, National Cyber Security Division, Federal Network Security, FY\n2012 Inspector General Federal Information Security Management Act Reporting Metrics, March 6, 2012.\n2012 FISMA Executive Summary Report                                                    March 29, 2013\nReport No. 512\n                                              Page 36\n\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix II\n\n\nrequested from and supplied by OIT staff members and information from\ninterviews with various OIT personnel.\n\nUse of Computer-Generated Data. We did not assess the reliability of OIT\xe2\x80\x99s\ncomputers because it did not pertain to our objectives for this review. Further,\nwe did not perform any tests on the general or application controls over OIT\xe2\x80\x99s\nautomated systems because such tests were not within the scope of our work.\nThe information was retrieved from these systems as well as the requested\ndocumentation provided to us, was sufficient, reliable, and adequate to use in\nmeeting our stated objectives.\n\nPrior OIG Reports. NIT reviewed the 2011 FISMA Executive Summary, which\nhas thirteen recommendations. 55 OIT has implemented and closed two of these\nrecommendations, but 11 remain open. While NIT found OIT is working on\naddressing the open recommendations, as noted in this report, weaknesses still\nexist. In addition, we reviewed the GAO 2012 Financial Audit and concurred OIT\ndoes not adequately ensure network accounts are terminated or deactivated\nonce access is no longer required, in multiple instances. 56\n\nJudgmental Sampling. As required by FISMA, we conducted a limited-scope\nreview of the Commission\xe2\x80\x99s information security posture. The review consisted\nof a review of the security assessment packages for a judgmental sample of 9 of\n59 SEC systems to review its security controls, that were agreed upon between\nthe OIT and NIT. The sample universe of information systems selected for the\nFY 2012 FISMA consisted of the GSS,\n                                        We based the judgmental sample on a\nlimited-scope review of both internal and external systems found in the SEC\xe2\x80\x99s\nsystem inventory.\n\n\n\n\n55\n  OIG, 2011 FISMA Executive Summary, Report No. 501 (Feb. 2, 2012).\n\n56\n  Fiscal Year 2012 Agency Financial Report, pp. 51-52, A more detailed report will be published in April\n\n2013 report entitled \xe2\x80\x9cManagement Report: Improvements Needed in SEC\'s Internal Controls and Accounting \n\nProcedures\xe2\x80\x9d.\n\n2012 FISMA Executive Summary Report                                                    March 29, 2013\nReport No. 512\n                                              Page 37\n\n                               REDACTED PUBLIC VERSION\n\x0c                                                                    Appendix III\n\n\n                       Criteria and Guidance\n\nFederal Information Security Management Act of 2002, Title III, Pub. L. No.\n107-347. Requires Federal agencies to develop, document, and implement an\nagency-wide program providing security for the information and information\nsystems supporting the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source.\n\nDHS Memorandum FISM 12-02, FY 2012 Reporting Instructions for the\nFederal Information Security Management Act and Privacy Management\nAct. Provides instructions to agencies for meeting fiscal year 2012 reporting\nrequirements under FISMA.\n\nU.S. Department of Homeland Security, National Cyber Security Division,\nFederal Network Security, FY 2012 Inspector General Federal Information\nSecurity Management Act Reporting Metrics. Provides general instructions\nunder each control area for the OIG questions for Cyberscope reporting.\n\nNIST Special Publication 800-16, Information Security Training\nRequirements. Provides guidance for security training and implementation.\n\nNIST Special Publication 800-18, Revision 1, Guide for Developing Security\nPlans for Federal Information Systems. Provides guidance for improving\nprotection of information system resources.\n\nNIST Special Publication 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations. Provides\nguidance related to the steps in the risk management framework addressing\nsecurity control section.\n\nNIST Special Publication 800-53A, Revision 1, Guide for Assessing the\nSecurity Controls in Federal Information Systems and Organizations\n(companion guideline to NIST Special Publication 800-53). Covers the security\ncontrol assessment and continuous monitoring steps in the risk management\nframework and provides guidance on the security assessment process.\n\nNIST Special Publication 800-37, Revision 1, Guide for Applying the Risk\nManagement Framework to Federal Information Systems: A Security Life\nCycle Approach. Provides guidance for applying the risk management\nframework to Federal information systems.\n\n\n\n2012 FISMA Executive Summary Report                                 March 29, 2013\nReport No. 512\n                                      Page 38\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix III\n\n\nNIST Special Publication 800-137, Information Security Continuous\nMonitoring for Federal Information Systems and Organizations. Assist\nagencies in the development of a continuous monitoring strategy and the\nimplementation of a continuous monitoring program.\n\nNIST Special Publication 800-39, Managing Information Security Risk:\nOrganization, Mission, and Information System View. Provides guidance for\nan integrated, organization-wide program for managing information security risk\nto organizational operations.\n\nHomeland Security Presidential Directive-12 (HSPD-12), Policies for a\nCommon Identification Standard for Federal Employees and Contractors.\nProvides guidance and details for implementing a common identification standard\nthroughout Federal agencies.\n\nFederal Information Processing Standard Publication 199 (FIPS 199),\nStandards for Security Categorization of Federal Information and\nInformation Systems. Provides guidance on the proper categorization of an\ninformation system based on the security level of the information contained in the\nsystem.\n\nFederal Information Processing Standard Publication 200 (FIPS 200),\nMinimum Security Requirements for Federal Information and Information\nSystems. Outlines the minimum security requirements for the security of Federal\ninformation system.\n\nFederal Information Processing Standard Publication 201-1 (FIPS 201-1),\nPersonal Identity Verification (PIV) of Federal Employees and Contractors.\nOutlines the HSPD-12 requirements.\n\n\n\n\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                      Page 39\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                     Appendix IV\n\n\n                    List of Recommendations\nRecommendation 1:\n\nThe Office of Information Technology should revise its information technology\nsecurity assessment procedures to ensure they are consistent with its current\npractices and include verbiage to implement continuous monitoring and\nrequirements for on-going assessment of a subset of critical security controls.\n\nRecommendation 2:\n\nThe Office of Information Technology should develop and implement a\ncontinuous monitoring strategy in accordance with NIST Special Publication 800\xc2\xad\n137, Information Security Continuous Monitoring for Federal Information Systems\nand Organizations and NIST Special Publication 800-37, Revision 1, Guide for\nApplying Risk Management Framework to Federal Information Systems: A\nSecurity Life Cycle Approach.\n\nRecommendation 3:\n\nThe Office of Information Technology should continue to implement the existing\nproject for the development and implementation of a comprehensive risk\nmanagement strategy in accordance with NIST Special Publication 800-37,\nRevision 1, Guide for Applying Risk Management Framework to Federal\nInformation Systems: A Security Life Cycle Approach, addressing risk at the\norganization level, the mission and business process level and the information\nsystem level.\n\nRecommendation 4:\n\nThe Office of the Chief Operating Officer should ensure the Office of Risk\nManagement coordinates with the Office of Information Technology to provide\ntraining to management throughout the Commission and educate staff on their\nroles and responsibilities related to operating in a three-tiered risk management\nframework.\n\nRecommendation 5:\n\nThe Office of Information Technology should develop procedures to ensure\nFederal Information Processing Standard 199 system security categorization and\nto properly document the involvement of the information system owner (ISO) and\n\n\n2012 FISMA Executive Summary Report                                  March 29, 2013\nReport No. 512\n                                      Page 40\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                      Appendix IV\n\nthe authorizing official, respectively, in step on of the risk management\nframework.\n\nRecommendation 6:\n\nThe Office of Information Technology should revise its Federal Information\nProcessing Standard 199 system security categorization form to include\nsignature blocks for the system owner and authorizing official.\n\nRecommendation 7:\n\nThe Office of Information Technology should review and update the existing\ninformation technology security awareness training program to:\n\n   \xe2\x80\xa2\t Include specific role-based training based on the duties and\n\n      responsibilities for staff with information security roles.\n\n   \xe2\x80\xa2\t Track the progress and completion of IT staff\xe2\x80\x99s role-based training.\n\nRecommendation 8:\n\nThe Office of Information Technology should review all plan of action and\nmilestones (POA&M) and update its POA&M\xe2\x80\x99s tracking system to include future\nremediation dates and ensure POA&Ms are closed or mitigated to an acceptable\nlevel.\n\nRecommendation 9:\n\nThe Office of Information Technology should identify and update the systems\ninventory list to include interface data for external systems.\n\nRecommendation 10:\n\nThe Office of Information Technology should conduct a full review of all user\naccounts to determine if any were used after an employee or contractor either no\nlonger required access to SEC\xe2\x80\x99s systems or was no longer employed by the\nSEC, and ensure the accounts are disabled.\n\nRecommendation 11:\n\nThe Office of Information Technology should strengthen its internal controls to\nensure user accounts are properly terminated or disabled for employees or\ncontractors who either no longer require user access or are not employed with\nthe SEC.\n2012 FISMA Executive Summary Report                                   March 29, 2013\nReport No. 512\n                                      Page 41\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix V\n\n\n             Review of Additional Information Security\n                         Requirements\n\nIn addition to the Cyberscope requirements, we independently evaluated how the\nSEC implemented the following security requirements:\n\n     \xe2\x80\xa2   systems inventory and the quality of the inventory\n     \xe2\x80\xa2   enterprise security architecture\n     \xe2\x80\xa2   data and boundary protection\n     \xe2\x80\xa2   network security protocols\n\nThe evaluation criteria we used was based on NIST standards and industry best\npractices. Our evaluation criteria was selected based on the Fiscal Year 2012\nCIO FISMA Reporting Metrics, 57 NIST SP 800-53, Rev. 3, 58 NIST SP 800-37,\nRev. 1, 59 and NIST SP 800-39. 60\n\nSystems Inventory and the Quality of the Inventory\nBackground. System inventory is a basic tool used to identify, track, and\nmonitor information systems requiring security assessments. For each system\nrequiring a FIPS 199 analysis, a corresponding entry should exist in the system\ninventory list. In addition, the system inventory list should identify if the system is\na GSS, major application system, cloud computing system, or externally hosted\nsystem. An important part of this process is to ensure systems are properly\ninventoried in accordance with the FIPS 199 system categorization.\n\nResults. We determined the SEC has a comprehensive system inventory\nprocess and OIT issued the policy handbook, Policy Directive CIO-PD-08, SEC\nOIT Security Policy Framework, in August 2012, which addresses system\ninventory. However, many of the procedures are outdated and should be\nrevised.\n\nWe found OIT tracks and maintains systems within the system inventory\n(compliance workbook). Systems requiring C&As are tracked on a tab in the\nsystems inventory, \xe2\x80\x9cAccredited Systems.\xe2\x80\x9d\n\n57\n   US Department Homeland Security, National Cyber Security Division, Federal Network Security (February\n14, 2012). FY 2012, Chief Information Officer, Federal Information Security Management Act, Reporting\nMetrics.\n58\n   NIST SP 800-53, Rev. 3.\n59\n   NIST SP 800-37, Rev. 1.\n60\n   NIST SP 800-39.\n2012 FISMA Executive Summary Report                                                    March 29, 2013\nReport No. 512\n                                              Page 42\n\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\n\nWe determined OIT added systems to the system inventory (compliance\nworkbook) during the planning phase and that were removed during the\nretirement phase of the SDLC. Hence, OIT has a formal retirement process to\nremove systems from the inventory. At various points during the SDLC, items\nimpacting the system inventory list can change, such as system categorizations,\nnew systems, and contractor systems not in compliance with required baseline\nsecurity controls, which would modify the inventory list.\n\nAn important part of this system inventory process is to ensure systems are\nproperly inventoried in accordance with the system categorization. We found\nOIT reviews information categorization if a system is going through re\xc2\xad\nauthorization as part of the C&A cycle or when the system goes through a major\nchange such as personally identifiable information.\n\nBelow, Table 4 illustrates the evaluation objectives NIT used to evaluate systems\ninventory, the quality of inventory, and the results of our evaluation by objectives.\n\nTable 4: Evaluation Objectives for Systems Inventory and the Quality of\nthe Inventory\n                  Evaluation Objectives\n                                                                                 Results\n Documented policies and procedures for systems inventory        The Office of Information Technology has\n                                                                 policies and procedures that address\n                                                                 systems inventory and quality of the\n                                                                 inventory. However, the procedures are\n                                                                 outdated and should be revised.\n For each of the FIPS 199 systems categorized impact levels      The Commission has one GSS and 86\n (H = High, M = Moderate, L = Low), What is the total            major systems, and the total number of\n number of Organization information systems by                   information systems is categorized by\n Organization component (i.e. Bureau or Sub-Department           organizational component.\n Operating Element)?                                             .\n\n How does the SEC track systems that require C&As?               The Office of Information Technology\n (Reference: CIO FISMA Metrics Section 1-2)                      tracks systems within the system inventory\n                                                                 (compliance workbook).\n For each of the FIPS 199 system categorized impact levels,      There are two systems across the\n what is the total number of Organization operational, and       categorized impact levels that are using\n information systems using cloud services by Organization        cloud services by the Commission. Those\n component (i.e. Bureau or Sub-Department Operating              two systems are\n Element)? (Reference: CIO FISMA Metrics, Section 1-2)\n                                                                                           Both are\n                                                                 moderate impact systems and both are in\n                                                                 production status at the Commission.\n At what portion of the SDLC are systems added to and or         The Office of Information Technology adds\n removed from the system inventory list? (Reference: NIST        information systems to the system\n SP 800-37, Task 1-3)                                            inventory (compliance workbook)during the\n                                                                 planning phase of the SDLC.\n Are there \xe2\x80\x9ctrip-wires\xe2\x80\x9d in place within the SDLC or continuous   At various points during the SDLC, items\n monitoring program to add, modify, or remove the system in      that impact the system inventory list can\n\n2012 FISMA Executive Summary Report                                                        March 29, 2013\nReport No. 512\n                                                 Page 43\n\n                                REDACTED PUBLIC VERSION\n\x0c                                                                                        Appendix V\n\n\n                    Evaluation Objectives\n                                                                              Results\n the inventory list?                                         change, which modify the inventory.\n (Reference: NIST SP 800-37, Task 1-3)\n\n How often the information categorization of the system is   Information categorization is only reviewed\n reviewed, updated, changed, etc.? Who is involved in that   if the system is going through a re\xc2\xad\n process? What are the circumstances that determine a        authorization via a regular cycle or major\n change to system inventory? (Reference: NIST SP 800-37,     change. The individuals involved in the\n Task 1-1)                                                   process are the C&A manager, the system\n                                                             owner, and the systems engineer.\nIs there a formal retirement process in place at the         There is a formal retirement process in\norganization to remove systems from the systems              place at the Commission to remove\ninventory? (Reference: NIST SP 800-37, Task 6-7)             systems from the inventory.\nSource: NIT Generated\n\nConclusion. The SEC controls are adequate for systems inventory and the\nquality of the inventory. There were no findings related to systems inventory.\n\nEnterprise Security Architecture\nBackground. "The enterprise architecture developed by the organization is\naligned with the Federal Enterprise Architecture. The integration of information\nsecurity requirements and associated security controls into the organization\xe2\x80\x99s\nenterprise architecture helps to ensure security considerations are addressed by\norganizations early in the system development life cycle and are directly and\nexplicitly related to the organization\xe2\x80\x99s mission/business processes. This also\nembeds into the enterprise architecture, an integral security architecture\nconsistent with organizational risk management and information security\nstrategies. Security requirements and control integration are most effectively\naccomplished through the application of the Risk Management Framework and\nsupporting security standards and guidelines. The Federal Segment Architecture\nMethodology provides guidance on integrating information security requirements\nand security controls into enterprise architectures.\xe2\x80\x9d 61\n\nNIST SP 800-53 provides the following guidance pertaining to enterprise security\narchitecture:\n\n       Control\xe2\x80\x94Program Management: PM-7 Enterprise Architecture 62\n\nResults. NIT determined the SEC has an established enterprise security\narchitecture program. OIT issued the handbook, Policy Directive CIO-PD-08,\nSEC OIT Security Policy Framework, in August 2012, which addresses\n\n61\n      NIST SP 800-53, Rev. 3, p. G-4\n62\n     Ibid.\n2012 FISMA Executive Summary Report                                                     March 29, 2013\nReport No. 512\n                                               Page 44\n\n                                  REDACTED PUBLIC VERSION\n\x0c                                                                                       Appendix V\n\n\nenterprise security architecture. However, our review found the documented\nenterprise security architecture procedures are outdated based on the SEC\xe2\x80\x99s\ndefined three-year frequency found in the OIT\xe2\x80\x99s IT Security Compliance Program\nPolicy. Also, our determination was based on OIT\xe2\x80\x99s procedures that define\nfrequency as noted in the specific procedure.\n\nNIT determined the SEC\xe2\x80\x99s enterprise architecture strategic plan aligns with the\nFederal approach related to enterprise architecture. OIT identifies strategic\nelements supporting the enterprise architecture at the SEC. We also determined\nthat the OIT\xe2\x80\x99s security and privacy efforts are integrated into the enterprise\narchitecture plan.\n\nShown below is Table 5, which contains the evaluation objectives we used to\nevaluate enterprise security architecture and the results by evaluation objective.\n\nTable 5: Evaluation Objectives for Enterprise Security Architecture\n                   Evaluation Objectives                                     Results\n Does the agency enterprise architecture (EA) policy and         The Office of Information\n procedures address security and privacy                         Technology has policies and\n requirements?(Reference: NIST SP 800-53, Rev. 3, PM-7)          procedures that address\n                                                                 enterprise security\n                                                                 architecture. However, the\n                                                                 procedures are outdated and\n                                                                 should be revised.\n Is the existing organization\xe2\x80\x99s enterprise architecture plan     The Commission\xe2\x80\x99s enterprise\n in line with the Federal enterprise architecture plan?          architecture strategic plan is in\n (Reference: NIST SP 800-53, Rev. 3, PM-7, NIST 800-39,          line with the Federal approach\n Section 2.4.2)                                                  to enterprise architecture.\n Does the agency address security and privacy                    The Commission\xe2\x80\x99s enterprise\n requirements in the context of the mission and business         architecture strategy plan\n processes as part of the enterprise architecture?               addresses security and privacy\n (Reference: NIST SP 800-53, Rev. 3, PM-7, NIST 800-39,          as part of the enterprise\n Section 2.4.2)                                                  architecture.\n Does the agency enterprise architecture include an              The Office of Information\n embedded information security architecture that describes       Technology has a plan\n the integration of security and privacy requirements for        identifying the various\n providing traceability from the highest-level strategic goals   elements that support\n and objectives of organizations, through specific               enterprise architecture at the\n mission/business protection needs, to specific information      Commission.\n security solutions provided by people, processes, and\n technologies?(Reference: NIST SP 800-53, Rev. 3, PM-7,\n NIST 800-39, Section 2.4.2)\nSource: NIT Generated\n\nConclusion. The controls the SEC uses are adequate for enterprise security\narchitecture. We had no findings in this area.\n\n2012 FISMA Executive Summary Report                                                    March 29, 2013\nReport No. 512\n                                             Page 45\n\n                              REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\n\nData and Boundary Protection\nBackground. Data and boundary protection is the means used to assess the\nsecurity of Federal data in various environments (i.e., mobile devices and email).\nThe organization\xe2\x80\x99s information systems need to monitor and control\ncommunications at the external boundary of the system and at key internal\nboundaries within the system; and connect to external networks or information\nsystems only through managed interfaces consisting of boundary protection\ndevices arranged in accordance with the organization security architecture.\n\nMobile devices and unencrypted e-mail are a primary source of loss for sensitive\ndata and are also an easy way to carry malware back into the intranet\nenvironment. The use of encryption of data at rest or in motion is vital to protect\ndata\xe2\x80\x99s confidentiality, integrity and/or availability. NIST SP 800-53, Rev. 3\nprovides the following guidance pertaining to data and boundary protection:\n\n     Control\xe2\x80\x94System and Communications Protection: SC-7 Boundary\n     Protection 63\n\nResults. NIT determined the SEC has data and boundary protection protocols in\nplace to protect data at rest and data in transit. We further found the collection of\nphysical and logical security controls is sufficient to protect data at rest at the\nCommission. Data in transit is protected using various encryption methods such\nas Transport Layer Security (TLS), Internet Protocol Security (IPsec), and Secure\nSockets Layer (SSL), which are cryptographic protocols providing communication\nsecurity over the Internet.\n\nFurther, Trusted Internet Connection (TIC) 1.0 capabilities were implemented\nand certified, in accordance with FISMA requirements. However, TIC 2.0\ncapabilities have not been implemented and there is no current requirement to\nimplement TIC 2.0.\n\nOIT uses            a product scanning email messages for spoofed email, to\nscan inbound e-mail messages and to ensure mail identified as \xe2\x80\x9cspoofed\xe2\x80\x9d is not\nforwarded. 64 The SEC\xe2\x80\x99s email systems properly implements sender verification\n(anti-spoofing) technologies when sending messages. OIT does not allow\nattachments with an executable file extension (i.e. .exe) into its mail system.\nAdditionally, users cannot run .exe files at the SEC.\n\n\n63\n  NIST SP 800-53, Rev. 3, pp. F-108 \xe2\x80\x93 F-111.\n\n64\n  Spoofed email is email which the sender address and other parts of the email header are altered to \n\nappear as though the email originated from a different source.\n\n2012 FISMA Executive Summary Report                                                       March 29, 2013\nReport No. 512\n                                                Page 46\n\n                                REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\nNIT found OIT conducts scheduled scans for unauthorized wireless access\npoints (WAP) connected to the SEC network at least two times per month.\n\nTable 6 consists of the evaluation objectives NIT used to evaluate data and\nboundary protection, as well as the results listed by evaluation objective.\n\n    Table 6: Evaluation Objectives for Data and Boundary Protection\n                    Evaluation Objectives                                     Results\n     How does the SEC protect data at rest? (Reference:           The collection of security\n     NIST SP 800-53, Rev. 3, SC-28)                               technology that makes up the\n                                                                  enterprise protects the data at\n                                                                  rest.\n     How does the SEC protect data in transit? (Reference:        Data in transit is protected by SSL\n     NIST SP 800-53, Rev. 3, IA-2 (8))                            v3 and TLS encrypted tunnels.\n     Does the SEC use encryption technology to protect            Data in transit is protected using\n     email when sending messages to government agencies           various encryption methods such\n     or the public? (Reference: CIO FISMA Metrics, Section        as TLS, IPsec, and SSL, which\n     6.1)                                                         are cryptographic protocols\n                                                                  providing communication security\n                                                                  over the Internet.\n     How does the SEC manage its PKI Certificate Authority?       PKI support is managed by a\n     (Reference: CIO FISMA Metrics, Section 6.2)                  Federal or commercial shared\n                                                                  service provider.\n     Which TIC 1.0 Capabilities have been implemented by          TIC 1.0 capabilities have been\n     SEC? (Reference: CIO FISMA Metrics, Section 7.1)             implemented and certified at the\n                                                                  Commission, in accordance with\n                                                                  FISMA requirements.\n     Has the SEC implemented any of the TIC 2.0                   The TIC 2.0 capabilities have not\n     Capabilities? If so which ones? (Reference: CIO FISMA        been implemented; however, as of\n     Metrics, Section 7.1)                                        this report, there is no current\n                                                                  requirement to implement TIC 2.0.\n     Is there a formal Project Plan developed to implement        The TIC 2.0 capabilities have not\n     TIC 2.0 Capabilities? (Reference: CIO FISMA Metrics,         been implemented; however, as of\n     Section 7.1)                                                 this report, there is no current\n                                                                  requirement to implement TIC 2.0.\n     Has the SEC deployed Einstein, Einstein 2? Einstein 3?       Einstein 3 is deployed at the\n     (Reference: CIO FISMA Metrics, Section 7.2)                  Commission.\n     What is the percentage of external network traffic to/from   The percentage of external traffic\n     the SEC that passes through the TIC/MTIPS?                   to/from the TIC/MTIPS is 100%.\n     (Reference: CIO FISMA Metrics, Section 7.3)\n     What types of external network traffic to/from the SEC       Not applicable. See previous\n     that does not pass through the TIC? (Reference: CIO          response above.\n     FISMA Metrics, Section 7.3)\n     How many email systems are used by the SEC? What             There is only one email system\n     are they? (Reference: CIO FISMA Metrics, Section 7.7)        used by the Commission, and that\n                                                                  is Exchange 2010.\n     What type of (anti-spoofing) technologies are                The Commission uses Ironport, a\n     implemented by SEC e mail systems? (Reference: CIO           product that scans email\n     FISMA Metrics, Section 7.6)                                  messages for spoofed email, to\n                                                                  scan inbound e-mail messages\n                                                                  and to ensure mail identified as\n                                                                  \xe2\x80\x9cspoofed\xe2\x80\x9d is not forwarded.\n     What is the percentage of SEC email systems that             The percentage of email systems\n\n2012 FISMA Executive Summary Report                                                       March 29, 2013\nReport No. 512\n                                               Page 47\n\n                               REDACTED PUBLIC VERSION\n\x0c                                                                                           Appendix V\n\n\n                    Evaluation Objectives                                    Results\n     implement sender verification (anti-spoofing)              that implement sender verification\n     technologies when sending messages? (Reference: CIO        (anti-spoofing) is 100%.\n     FISMA Metrics, Section 7.6)\n     How does the SEC email system implement sender             All of the Commission\xe2\x80\x99s email\n     verification (anti-spoofing) technologies? (Reference:     systems implement sender\n     CIO FISMA Metrics, Section 7.6)                            verification (anti-spoofing)\n                                                                technologies when sending\n                                                                messages.\n     Does the SEC have the capability to check incoming         The Commission does not allow\n     email traffic where the link/attachment is                 attachments with an executable\n     executed/opened in a sandbox/virtual environment in-line   file extension (i.e. .exe) into the\n     to ascertain whether or not it is malicious, and           mail system. Additionally, users\n     quarantined as appropriate, before it can be opened by     cannot run .exe files at the\n     the recipient? (Reference: CIO FISMA Metrics, Section      Commission.\n     7.7)\n     Does the SEC conduct scheduled scans for                   The Office of Information\n     unauthorized wireless access points (WAP) connected to     Technology conducts scheduled\n     an SEC network? What tool is used? How frequently?         scans for unauthorized wireless\n     (Reference: CIO FISMA Metrics, Section 7.8)                access points (WAP) connected to\n                                                                the SEC network.\n     What is the percentage of hardware assets which are in     One hundred percent of the\n     facilities where WAP scans are conducted? (Reference:      hardware assets are included in\n     CIO FISMA Metrics, Section 7.8)                            those scans.\n     What network boundary devices are assessed by an           The Office of Information\n     automated capability to ensure that they continue to be    Technology conducts scheduled\n     adequately free of vulnerabilities and are adequately      scans for unauthorized WAP\n     configured as intended, such as to adequately protect      connected to the SEC network at\n     security? (Reference: CIO FISMA Metrics, Section 7.12)     least two times per month.\n    Source: NIT Generated\n\nConclusion. The controls in place at the Commission are adequate for data and\nboundary protection, and there were no findings related to data and boundary\nprotection.\n\nNetwork Security Protocols\nBackground. Network security protocols should be in place at the organization\nestablishing usage restrictions and implementation guidance for Internet access.\nThe need for security and privacy has led to several security protocols and\nstandards. Domain Name System Security Extension (DNSSEC) is used at the\nFederal level.\n\nResults. NIT found the OIT uses DNSSEC to prevent the pirating of government\ndomain names. We determined OIT is capable of using Internet Protocol Version\n6 (IPv6); however, there are no requirements for the office to implement IPv6.\nOIT is capable and ready to upgrade to IPv6 by fiscal year 2014, and is using the\nDepartment of Homeland Security (DHS) tool to inspect for DNSSEC and IPv6\n\n2012 FISMA Executive Summary Report                                                       March 29, 2013\nReport No. 512\n                                             Page 48\n\n                              REDACTED PUBLIC VERSION\n\x0c                                                                                  Appendix V\n\n\ncompliance. Finally, OIT has taken steps to ensure DNSSEC certificates do not\nexpire.\n\nTable 7, shown below, contains the evaluation objectives NIT used to evaluate\nnetwork security protocols and our results are listed by the evaluation\xe2\x80\x99s objective.\n\nTable 7: Evaluation Objectives for Network Security Protocols\n                   Evaluation Objectives                                 Results\n Does the SEC use the Domain Name System Security             The Commission uses\n Extension (DNSSEC) at the Federal level to prevent the       DNSSEC to prevent the\n pirating of government domain names? (Reference: CIO         pirating of government\n FISMA Metrics, Section 11.1a)                                domain names.\n Has the SEC upgraded public/external facing servers and      The Commission is capable\n services (e.g. web, email, DNS, ISP services, etc.) to       of using        however, as of\n operationally use native IPv6 by the end of FY 2012?         this report, there is no current\n (Reference: CIO FISMA Metrics, Section 11.1)                 requirement to implement\n\n Is there a plan in place to upgrade internal client          The Commission is capable\n applications that communicate with public Internet servers   and ready to upgrade to IPv6\n and supporting enterprise networks to operationally use      by fiscal year 2014.\n native IPv6 by the end of FY 2014?(Reference: CIO FISMA\n Metrics, Section 11.2)\n Does the SEC use any of the tools offered by                 The Commission is using a\n DHS/NPPD/NCSD/FNS to enable organizations to inspect         DHS tool inspecting for\n for DNSSEC and IPv6 compliance? If so which tools?           DNSSEC and IPv6\n (Reference: CIO FISMA Metrics, Section 11 (FY 2012           compliance.\n target))\n What steps are taken by SEC to ensure that DNSSEC            The Commission has steps to\n certificates do not expire if not updated by the owning      ensure the DNSSEC\n Organization? (Reference: CIO FISMA Metrics, Section 11      certificates do not expire.\n (FY 2012 target))\nSource: NIT Generated\n\nConclusion. The controls in place at the Commission are adequate for network\nsecurity protocols, and there were no findings.\n\n\n\n\n2012 FISMA Executive Summary Report                                              March 29, 2013\nReport No. 512\n                                           Page 49\n\n                            REDACTED PUBLIC VERSION\n\x0c                                                                    Appendix VI\n\n\n               POA&Ms and Remediation Dates\n\nTable 8: POA&Ms and Remediation Dates\n                                                           Up-                  No. of Years \n\n                                                  No. of    to-                     Past\n\n                  POA&M Document        No. of\n System Name                                      Open     Date    Comments      Projected\n\n                     Reviewed          POA&Ms\n                                                 POA&Ms                         Remediation\n\n                                                           Y   N\n                                                                                    Date\n\n\n\n\n2012 FISMA Executive Summary Report                                 March 29, 2013\nReport No. 512\n                                      Page 50\n\n                         REDACTED PUBLIC VERSION\n\x0c                                                                       Appendix VI\n\n                                                              Up-                  No. of Years\n                                                     No. of    to-                     Past\n                        POA&M Document     No. of\n System Name                                         Open     Date    Comments      Projected\n                           Reviewed       POA&Ms\n                                                    POA&Ms                         Remediation\n                                                              Y   N\n                                                                                       Date\n\n\n\n\nSource: NIT Generated\n2012 FISMA Executive Summary Report                                    March 29, 2013\nReport No. 512\n                                         Page 51\n\n                             REDACTED PUBLIC VERSION\n\x0c                                                                                                                 Appendix VII\n\n\n                                       Management Comments\n\n\n\n\n                                                        MEMOR A N D U M\n                                                             March 26, 20 1 3\n\n\n\nTo:                     J a cqu e lin e Wil son , A ssis t a nt Inspector G e n e ra l for Aud its , Office of Inspector Gene ral\n\nFrom :                 ;}ft!\'~P. Chief ~~.?ffice~ --~~;\'l.3\n                        Thomas A .     B~hief Informa tio n O fficer, Office                 of Informa t ion T e chnology\n\nSubject:                Management Respon se. 2 01 2 F I S MA E x ecutive Summa ry, R eport No. 512\n\n\n\nThank you for the opportunity to comment on the recommendations in the report annotat ed\nabove, as we work together for t he integrity and efficiency of the Commission. We appreciate\nthe Office of Inspector General\'s insights and a r e p r ovidi ng t he official response f r om the Office\nof I nformation T echnology (OIT) .\n\n\nRecom men dati o n 1 : " T he Office of Information T echnology should revise its information\ntechnology security assessment procedures a r e cons isten t w ith its current practices and include\nve r biage to implement continuous monitoring and re quire m e nts for on-goi ng assessment of a\nsubset of critical secur ity con t rols ."\n\nM a n a g e m e nt R e sponse : OIT concurs with the recornmendation . OIT Securi ty is currently\nupdating its pol icies and proce dur es to include v erbiage to directly address the continuous\nmonitorin g program.\n\n\n\nRec omm e n d a t i o n 2: " The Office of I nformation Technology should develop a n d implement a\ncontinuous monitoring strategy in accordance with N IST publication 800- 137, Information\nSecurity Continuous M onitoring for F e d e ral Informa tion Systems a nd Orga niz ations and NIST\nPublication 800- 37, Revision 1 , Guide for Applying Ris k M a nagement F r a mework to Federal\nInformation Systems: A Security L ife Cycle Approach."\n\nMan agem e n t Re s pon s e : OIT concurs with t he recommendation.\n\n\n\nRecommendation 3 : " The Office of I nformation Technology shou ld continue to i m p lemen t th e\ne x isting project for the dev e lopment an d i mplementation of a compre hensive r i sk management\ns t rateg y in accordance with NIS T Special Publ ication 800- 3 7, revis ion 1 , Guide for Applying\nRisk Management F ramework to Federal Information Systems: A Security Life Cycle Approach,\n\n\n1\n    Pa m e la C. Dyso n , D e puty Chi e f Inform a tion Officer, Offi ce o f I n f o rmati on Techno lo g y\n\n\n\n\n    2012 FISMA Executive Summary Report                                                                           March 29, 2013\n    Report No. 512\n                                                                 Page 52\n\n                                             REDACTED PUBLIC VERSION\n\x0c                                                                                Appendix VII\n\n\n\n\naddressing risk at the organization level, the mission and business process level and the\ninformation system level."\n\nManagement Response: OIT concurs with the recommendation and is in the final stages of the\nexisting project.\n\n\n\nRecommendation 4: "The Office of the Chief Operatir,tg Officer should ensure the Office of Risk\nManagement coordinates with the Office of Information Technology to provide training to\nmanagement throughout the Commission and educate staff on their roles and responsibilities\nrelated to operating in a three-tiered risk ll\'!anagement framework."\n\nManagement Response: OCOO concurs with the recommendation. OCOO Operational Risk\nManagement is currently coordinating with the Office of Information Technology to update\npolicies and will coordinate to provide training to management throughout the Commission and\neducate staff on their roles and responsibilities related to operating in a three-tiered risk\nmanagement framework.\n\n\n\nRecommendation 5: "The Office of Information Technology should develop procedures to\nensure FIPS 199 system security categorization requirements and to properly document the\ninvolvement of the information system owner (ISO) and the authorizing official, respectively, in\nstep one of the risk management framework."\n\nManagement Response: OIT concurs with the recommendation and will take steps to ensure\nthe participation of the ISO in the categorization process, as well as documenting their\ninvolvement.\n\n\n\nRecommendation 6: "The Office of Information Technology should revise its FIPS 199 system\nsecurity categorization form to include signature blocks for the system owner and authorizing\nofficial."\n\nManagement Response: OIT concurs with the recommendation.\n\n\n\nRecommendation 7: "The Office of Information Technology should review and update the\nexisting information technology security awareness training program to:\n\n           \xe2\x80\xa2   Include specific role-based training based on the duties and responsibilities for\n               staff with information security roles.\n           \xe2\x80\xa2   Track the progress and completion of IT staffs role-based training ."\n\nManagement Response: OIT concurs with the recommendation.\n\n\n\n\n 2012 FISMA Executive Summary Report                                            March 29, 2013\n Report No. 512\n                                           Page 53\n\n                             REDACTED PUBLIC VERSION\n\x0c                                                                             Appendix VII\n\n\n\n\nRecommendation 8: "The Office of Information Technology should review all plan of action and\nmilestones (POA&M) and update its POA&M\'s tracking system to include future remediation\ndates and ensure POA&Ms are closed or mitigated to an acceptable level."\n\nManagement Response: OIT concurs with the recommendation.\n\n\n\nRecommendation 9: "The Office of Information Technology should identify and update the\nsystems inventory list to include interface data for external systems."\n\nManagement Response: OIT concurs with the recommendation and will ensure interface data\nfor external systems is recorded explicitly in the systems inventory.\n\n\n\nRecommendation 10: "The Office of Information technology should conduct a full review of all\nuser system accounts and disable or delete those that no longer require access."\n\nManagement Response: OIT concurs with the recommendation.\n\n\n\nRecommendation 11: "The Office of Information Technology should strengthen its internal\ncontrols to ensure user accounts are properly terminated or disabled for employees or\ncontractors who either no longer require user access or are not employed with the SEC."\n\nManagement Response: OIT concurs with the recommendation.\n\n\n\nIn addition to the Recommendations listed above, some prior-year recommendations were still\noutstanding and carried over from OIG\'s 2011 F/SMA Executive Summary Report, Report No.\n501. issued in February 2012.\n\nOIT is actively working on all existing, open Recommendations and is fully committed to\nresolving them as expeditiously and effectively as possible.\n\n\n\n\n 2012 FISMA Executive Summary Report                                          March 29, 2013\n Report No. 512\n                                          Page 54\n\n                            REDACTED PUBLIC VERSION\n\x0c                     Audit Requests and Ideas \n\n\nThe Office of Inspector General welcomes your input. If you would like to request\nan audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N. E.\nWashington D.C. 20549-2736\n\nT el.#: 202-551-6061\nF ax#: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'